Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE.doc

Overview

General Information

Sample Name:INVOICE.doc
Analysis ID:635245
MD5:0ecb6ed891d173443fa3654c31e14320
SHA1:6867f37817db501ce103813f791899f3cf1bc1e8
SHA256:f080b3ba979f854761526f4bc6bd5b8210b48d5f91f15b1a1423849107775e11
Tags:doc
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Document contains OLE streams which likely are hidden ActiveX objects
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Office process drops PE file
Writes to foreign memory regions
Document contains OLE streams with names of living off the land binaries
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
PE file has nameless sections
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found suspicious RTF objects
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
PE file contains executable resources (Code or Archives)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Office Equation Editor has been started
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 2284 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1144 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • cmd.exe (PID: 2224 cmdline: CmD.exe /C %tmp%\Client.exe A C MD5: AD7B9C14083B52BC532FBA5948342B98)
      • Client.exe (PID: 2488 cmdline: C:\Users\user\AppData\Local\Temp\Client.exe A C MD5: 75C0471CCE805B589FDAF81D8D1D646C)
        • notepad.exe (PID: 2788 cmdline: C:\Windows\SysWOW64\notepad.exe MD5: A4F6DF0E33E644E802C8798ED94D80EA)
        • notepad.exe (PID: 1112 cmdline: C:\Windows\SysWOW64\notepad.exe MD5: A4F6DF0E33E644E802C8798ED94D80EA)
        • notepad.exe (PID: 1072 cmdline: C:\Windows\SysWOW64\notepad.exe MD5: A4F6DF0E33E644E802C8798ED94D80EA)
        • notepad.exe (PID: 1136 cmdline: C:\Windows\SysWOW64\notepad.exe MD5: A4F6DF0E33E644E802C8798ED94D80EA)
        • notepad.exe (PID: 2960 cmdline: C:\Windows\SysWOW64\notepad.exe MD5: A4F6DF0E33E644E802C8798ED94D80EA)
  • cleanup
{"C2 list": ["www.bense003.xyz/s3s3/"], "decoy": ["tvielotus.com", "teesta.xyz", "talentrecruitor.com", "pamaungipb.com", "xn--90ahkh6a6b8b.site", "910carolina.com", "toyotaecoyouth-dev.com", "invetnables.com", "gdexc.com", "ssw168.com", "householdmould.com", "mqttradar.xyz", "t333c.com", "thepausestudio.com", "evershedsutherlands.com", "asbdataplus.com", "preddylilthingz.com", "jepwu.com", "tvlido.com", "artovus.com", "trainingmagazineme.com", "rettar.net", "underneathstardoll.com", "babipiko21.site", "getvpsdime.com", "accentsfurniture.com", "cutdowns.tech", "teklcin.online", "sunshareesg.com", "eventrewards.site", "lacomunaperu.com", "a-tavola.online", "gshund.com", "monsterflixer.com", "896851.com", "carpetlandcolortileflint.com", "filmproduction.management", "cherie-clinique.com", "medjoker.com", "grant-helpers.site", "sussdmortgages.com", "solaranlagen-forum.com", "freecustomsites.com", "h7578.com", "ideadly.com", "backend360.com", "podgorskidesign.com", "zilinsky.taxi", "ourelevatetribe.com", "thefitnesswardllc.com", "eficazindustrial.com", "thecovefishcamp.com", "niuxy.com", "myluxurypals.com", "clinicadentalvelinta.com", "dis99.com", "crosswealth.xyz", "itopjob.com", "oandbcleaningservices.com", "afri-solutions.com", "paradiseoe.com", "versionespublicas.com", "b2lonline.com", "usdcmeta.xyz"]}
SourceRuleDescriptionAuthorStrings
INVOICE.docMAL_RTF_Embedded_OLE_PEDetects a suspicious string often used in PE files in a hex encoded object streamFlorian Roth
  • 0x177f:$a1: 546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465
  • 0x16e3:$m1: 4d5a90000300000004000000ffff
INVOICE.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1269:$obj2: \objdata
  • 0x207214:$obj2: \objdata
  • 0x3e240c:$obj3: \objupdate
  • 0x8de:$obj4: \objemb
  • 0x206889:$obj4: \objemb
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmprtf_cve2017_11882_oleAttempts to identify the exploit CVE 2017 11882John Davison
  • 0xfbc00:$headers: 1C 00 00 00 02 00 9E C4 A9 00 00 00 00 00 00 00 C8 A7 5C 00 C4 EE 5B 00 00 00 00 00 03 01 01 03 0A
  • 0xfbc21:$font: 0A 01 08 5A 5A
  • 0xfbc52:$winexec: 12 0C 43 00
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
  • 0x0:$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
  • 0xfbb00:$equation1: Equation Native
  • 0x920:$equation2: Microsoft Equation 3.0
  • 0x2a0c:$exe: .exe
  • 0x2a1f:$exe: .exe
  • 0x2a3a:$exe: .exe
  • 0xfbc29:$exe: .exe
  • 0xfbc3d:$exe: .exe
  • 0xfbc52:$address: 12 0C 43 00
SourceRuleDescriptionAuthorStrings
0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 43 entries
      SourceRuleDescriptionAuthorStrings
      12.2.notepad.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.2.notepad.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        12.2.notepad.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        8.2.notepad.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.notepad.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 100 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bense003.xyz/s3s3/"], "decoy": ["tvielotus.com", "teesta.xyz", "talentrecruitor.com", "pamaungipb.com", "xn--90ahkh6a6b8b.site", "910carolina.com", "toyotaecoyouth-dev.com", "invetnables.com", "gdexc.com", "ssw168.com", "householdmould.com", "mqttradar.xyz", "t333c.com", "thepausestudio.com", "evershedsutherlands.com", "asbdataplus.com", "preddylilthingz.com", "jepwu.com", "tvlido.com", "artovus.com", "trainingmagazineme.com", "rettar.net", "underneathstardoll.com", "babipiko21.site", "getvpsdime.com", "accentsfurniture.com", "cutdowns.tech", "teklcin.online", "sunshareesg.com", "eventrewards.site", "lacomunaperu.com", "a-tavola.online", "gshund.com", "monsterflixer.com", "896851.com", "carpetlandcolortileflint.com", "filmproduction.management", "cherie-clinique.com", "medjoker.com", "grant-helpers.site", "sussdmortgages.com", "solaranlagen-forum.com", "freecustomsites.com", "h7578.com", "ideadly.com", "backend360.com", "podgorskidesign.com", "zilinsky.taxi", "ourelevatetribe.com", "thefitnesswardllc.com", "eficazindustrial.com", "thecovefishcamp.com", "niuxy.com", "myluxurypals.com", "clinicadentalvelinta.com", "dis99.com", "crosswealth.xyz", "itopjob.com", "oandbcleaningservices.com", "afri-solutions.com", "paradiseoe.com", "versionespublicas.com", "b2lonline.com", "usdcmeta.xyz"]}
          Source: INVOICE.docVirustotal: Detection: 50%Perma Link
          Source: INVOICE.docReversingLabs: Detection: 19%
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: www.bense003.xyz/s3s3/Avira URL Cloud: Label: phishing
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMetadefender: Detection: 31%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Client.exeReversingLabs: Detection: 51%
          Source: C:\Users\user\AppData\Local\Temp\Client.exeJoe Sandbox ML: detected
          Source: 11.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.2.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.2.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits

          barindex
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
          Source: Static RTF information: Object: 1 Offset: 00207238h
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drStream path '_1715178432/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

          Software Vulnerabilities

          barindex
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: Client.exe.1.drJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to behavior

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.bense003.xyz/s3s3/
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BC3C4C95-52F5-42BB-8F60-EC57C3F97BE3}.tmpJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: INVOICE.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drStream path '_1715178430/\x1Ole10Native' : ....Client.exe.C:\Path\Client.exe.........C:\Path\
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drStream path '_1715178432/Equation Native' : ...............\.[.............ZZCmD.exe /C %tmp%\Client.exe A..C................................................................................................................
          Source: Client.exe.1.drStatic PE information: section name:
          Source: Client.exeStatic RTF information: Object: 0 Offset: 0000128Dh Client.exe
          Source: INVOICE.doc, type: SAMPLEMatched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: INVOICE.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp, type: DROPPEDMatched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about, score =
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00F7CFC05_2_00F7CFC0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00F7F6585_2_00F7F658
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00F700485_2_00F70048
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00F7341A5_2_00F7341A
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011F83765_2_011F8376
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011F76F05_2_011F76F0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011F73285_2_011F7328
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_0122CE005_2_0122CE00
          Source: Client.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: Client.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Client.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Client.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: Client.exe.1.drStatic PE information: Section: VU3rezH ZLIB complexity 1.00032784598
          Source: INVOICE.docVirustotal: Detection: 50%
          Source: INVOICE.docReversingLabs: Detection: 19%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A CJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A CJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$NVOICE.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR65C4.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@16/9@0/0
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drOLE document summary: title field not present or empty
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drOLE document summary: author field not present or empty
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drOLE document summary: edited time not present or 0
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: INVOICE.docStatic file information: File size 4073082 > 1048576
          Source: ~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp.1.drInitial sample: OLE indicators vbamacros = False
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01342150 push esp; ret 5_2_01342151
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_013484EB push edx; retf 5_2_013484F2
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01345BCA push edi; retf 0000h5_2_01345BD1
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01347E20 push ebp; iretd 5_2_01347E21
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_009C1750 push 8BFFFFFDh; retf 5_2_009C1756
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E856CC push eax; ret 5_2_00E856CD
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01214ABE push ebx; iretd 5_2_01214ACA
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_05053511 push cs; ret 5_2_05053512
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_050549ED push C8EFFDB9h; retf 5_2_050549F5
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_05051A21 push CA6263B9h; iretd 5_2_05051A26
          Source: Client.exe.1.drStatic PE information: section name: VU3rezH
          Source: Client.exe.1.drStatic PE information: section name:
          Source: initial sampleStatic PE information: section name: VU3rezH entropy: 7.99954491412
          Source: initial sampleStatic PE information: section name: .text entropy: 6.88898241318
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1560Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2404Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Client.exe, 00000005.00000002.978342813.000000000075B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmciwave.dll
          Source: Client.exe, 00000005.00000002.978342813.000000000075B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 0vmciseq.dll

          Anti Debugging

          barindex
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011F89D0 CheckRemoteDebuggerPresent,5_2_011F89D0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A CJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A CJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformationJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts4
          Exploitation for Client Execution
          1
          DLL Side-Loading
          211
          Process Injection
          1
          Masquerading
          OS Credential Dumping211
          Security Software Discovery
          Remote Services1
          Archive Collected Data
          Exfiltration Over Other Network Medium1
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          1
          Disable or Modify Tools
          LSASS Memory1
          Process Discovery
          Remote Desktop Protocol1
          Clipboard Data
          Exfiltration Over Bluetooth1
          Ingress Tool Transfer
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion
          Security Account Manager31
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
          Process Injection
          NTDS1
          File and Directory Discovery
          Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information
          LSA Secrets13
          System Information Discovery
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Software Packing
          Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          DLL Side-Loading
          DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 635245 Sample: INVOICE.doc Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 41 Document contains OLE streams which likely are hidden ActiveX objects 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 12 other signatures 2->47 8 EQNEDT32.EXE 47 2->8         started        11 WINWORD.EXE 292 23 2->11         started        process3 file4 49 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->49 14 cmd.exe 8->14         started        27 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 11->27 dropped 29 C:\Users\user\...\Client.exe:Zone.Identifier, ASCII 11->29 dropped 31 ~WRF{E5C71654-C0CA...2-6F1C92DC7362}.tmp, Composite 11->31 dropped 51 Document exploit detected (creates forbidden files) 11->51 signatures5 process6 process7 16 Client.exe 2 14->16         started        signatures8 33 Multi AV Scanner detection for dropped file 16->33 35 Machine Learning detection for dropped file 16->35 37 Writes to foreign memory regions 16->37 39 2 other signatures 16->39 19 notepad.exe 16->19         started        21 notepad.exe 16->21         started        23 notepad.exe 16->23         started        25 2 other processes 16->25 process9

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          INVOICE.doc50%VirustotalBrowse
          INVOICE.doc20%ReversingLabsDocument-RTF.Trojan.Injuke
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Temp\Client.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\Client.exe31%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\Client.exe51%ReversingLabsByteCode-MSIL.Trojan.RealProtect
          SourceDetectionScannerLabelLinkDownload
          11.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.2.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          12.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.2.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          12.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          12.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          12.2.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          No Antivirus matches
          SourceDetectionScannerLabelLink
          www.bense003.xyz/s3s3/100%Avira URL Cloudphishing
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          www.bense003.xyz/s3s3/true
          • Avira URL Cloud: phishing
          low
          No contacted IP infos
          Joe Sandbox Version:34.0.0 Boulder Opal
          Analysis ID:635245
          Start date and time: 27/05/202217:41:152022-05-27 17:41:15 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 7m 3s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:INVOICE.doc
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
          Number of analysed new started processes analysed:13
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.expl.evad.winDOC@16/9@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 13.8% (good quality ratio 13.1%)
          • Quality average: 59.2%
          • Quality standard deviation: 27.3%
          HCA Information:
          • Successful, ratio: 63%
          • Number of executed functions: 32
          • Number of non-executed functions: 4
          Cookbook Comments:
          • Found application associated with file extension: .doc
          • Adjust boot time
          • Enable AMSI
          • Found Word or Excel or PowerPoint or XPS Viewer
          • Attach to Office via COM
          • Scroll down
          • Close Viewer
          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          TimeTypeDescription
          17:41:20API Interceptor34x Sleep call for process: EQNEDT32.EXE modified
          17:41:22API Interceptor225x Sleep call for process: Client.exe modified
          No context
          No context
          No context
          No context
          No context
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):1033728
          Entropy (8bit):7.430455222200925
          Encrypted:false
          SSDEEP:12288:zM/Vjn7/MEaDBNAU+UY8WiUxjx0Kvd9cHGunMFrER0iONCXtykhWt7mxe4g:zM/VP/MXbL+fTFvMHGuOc0i4CXt5hWE
          MD5:23C4AC5F2EA3F3D19126836319E7D75A
          SHA1:4D307E0A330AF7350AF0A490D0D22B11AF7E2723
          SHA-256:65FC5F503844792A2FD68C477D56132EB8AC27AF8D92B7B5D98D7586BF40FECF
          SHA-512:C89A29CDF7C5BD36BBEF914FF258AC0B96BCB5B68F1CA846B64085BD0A074F37FCB8B320D73EDFE2914C56E4BFCF03AAB8245D351DEAD7BFAF9F14CFCFDD3101
          Malicious:true
          Yara Hits:
          • Rule: rtf_cve2017_11882_ole, Description: Attempts to identify the exploit CVE 2017 11882, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp, Author: John Davison
          • Rule: EXP_potential_CVE_2017_11882, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5C71654-C0CA-4182-8CA2-6F1C92DC7362}.tmp, Author: ReversingLabs
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):1024
          Entropy (8bit):1.1722028273607172
          Encrypted:false
          SSDEEP:6:beKNc1ElClXiKNgREqAWlgFJYm7KmrRmvlw5Fr+ur8FrK:beOc1MClXiOk5uFJd5Rmvq5ZP8ZK
          MD5:75FCAEF5B6C0ADE6AF66F49874853C6A
          SHA1:834FA72EEF104773D7052895798FED035EF01594
          SHA-256:01E456476480AA1FD27ACF8F02AEA30D9B09581579A029154A6CD2A6850C85A0
          SHA-512:5E7DBBEB9534660466B7ACD9E70725504C33CC435C08D30ECE035B7CC13F5DC8AAB73F8CA16AA562697063059FEC3C5EE8258F108EB68C8B1071DD381FEDB99A
          Malicious:false
          Preview:..).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D..........................................................................................................................................................................................................................................................................................................................................................................................................................................."...<...>...@...F............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J.....j....CJ..OJ..QJ..U..^J...<..CJ..OJ..QJ..^J...OJ..QJ..^J.
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):1024
          Entropy (8bit):0.05390218305374581
          Encrypted:false
          SSDEEP:3:ol3lYdn:4Wn
          MD5:5D4D94EE7E06BBB0AF9584119797B23A
          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
          Malicious:false
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):1019392
          Entropy (8bit):7.463685655107809
          Encrypted:false
          SSDEEP:12288:/M/Vjn7/MEaDBNAU+UY8WiUxjx0Kvd9cHGunMFrER0iONCXtykhWt7mxe4g:/M/VP/MXbL+fTFvMHGuOc0i4CXt5hWE
          MD5:75C0471CCE805B589FDAF81D8D1D646C
          SHA1:28D5C23AB236A28376A64446EECC4B8068E71F51
          SHA-256:8C867636633BAB72230AB4F4123B1B37244A8325B40230947CDFD7EC3CC0C686
          SHA-512:2233A6BC864F0F2705010F2FDF688DB0E72A20A92C16711E63A06FBEE0D9C6D32E31AB70C93CEDA4B40D14D84EC045D65EDCDD97055B4C34DFBB6DE40019E000
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Metadefender, Detection: 31%, Browse
          • Antivirus: ReversingLabs, Detection: 51%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Lg.b..............0..z................... ....@.. ....................................@.....................................O....@...}..............................................................................................H...........VU3re.zH..... ......................@....text....v.......x.................. ..`.rsrc....}...@...~..................@..@.................................... ..`.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:gAWY3n:qY3n
          MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
          SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
          SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
          SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
          Malicious:true
          Preview:[ZoneTransfer]..ZoneId=3..
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Fri May 27 23:41:14 2022, length=4073082, window=hide
          Category:dropped
          Size (bytes):997
          Entropy (8bit):4.579900792019912
          Encrypted:false
          SSDEEP:12:8zB3dGe0gXg/XAlCPCHaXBKBnB/xQpX+WxNXQai8Ticvbl0rDEvJUDtZ3YilMMEA:8zB3dy/XTRKJIzNAtBemHJDv3q7Y7h
          MD5:24AE59D9E525D79955199E2607E082A9
          SHA1:BFE6EE00E329812712CA0B22858FBDDAF98F8573
          SHA-256:1F85C2A020C674E41B74B4A419CE011D5EA73929F4CBC46673EC67075B1018FE
          SHA-512:4F4A609D189DCBD5B0E4C7954BF64DC9A3D616D5D7EF06003457CF39FAE38E86E2D1C33235C7DE6BF426FA8C67845AD1F10CAC1D95AFB09A648404DE16A823E0
          Malicious:false
          Preview:L..................F.... .....v..3....v..3..M...+r..z&>..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....^.2.z&>..T(. .INVOICE.doc.D......hT..hT..*...r.....'...............I.N.V.O.I.C.E...d.o.c.......u...............-...8...[............?J......C:\Users\..#...................\\226546\Users.user\Desktop\INVOICE.doc.".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.N.V.O.I.C.E...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......226546..........D_....3N...W...9...N..... .....[D_....3N...W...9...N..... .....[....
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):65
          Entropy (8bit):4.616856329393205
          Encrypted:false
          SSDEEP:3:bDuMJl0XXd64omX1KzqsXd64ov:bCP3izqA3y
          MD5:3360631D6A0AB8AFBC94014B8F902169
          SHA1:805E2351303FEB6AC86288558FC4D9E89F60DA9C
          SHA-256:2765D20F07A240269ADA61F9EB986C8AAB8B0054187EE7681F00EF2CEE35B37F
          SHA-512:6F4112B1F5FEB12142281B7E971A27EBC428D31C1F586F02933FC772DF47B0BEEED71C236614C2772F0403A1CA7E13A60429B64A408A7447F8703453C80BF4C2
          Malicious:false
          Preview:[folders]..Templates.LNK=0..INVOICE.LNK=0..[doc]..INVOICE.LNK=0..
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):162
          Entropy (8bit):2.4797606462020303
          Encrypted:false
          SSDEEP:3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
          MD5:1674A1C7C99CD9FAADA789F5E2AEB335
          SHA1:26D9E81D5ED584A899A94D5EA8945A5AE3403F85
          SHA-256:BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
          SHA-512:B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
          Malicious:false
          Preview:.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):162
          Entropy (8bit):2.4797606462020303
          Encrypted:false
          SSDEEP:3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
          MD5:1674A1C7C99CD9FAADA789F5E2AEB335
          SHA1:26D9E81D5ED584A899A94D5EA8945A5AE3403F85
          SHA-256:BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
          SHA-512:B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
          Malicious:false
          Preview:.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...
          File type:Rich Text Format data, version 1, unknown character set
          Entropy (8bit):5.05599985084287
          TrID:
          • Rich Text Format (5005/1) 55.56%
          • Rich Text Format (4004/1) 44.44%
          File name:INVOICE.doc
          File size:4073082
          MD5:0ecb6ed891d173443fa3654c31e14320
          SHA1:6867f37817db501ce103813f791899f3cf1bc1e8
          SHA256:f080b3ba979f854761526f4bc6bd5b8210b48d5f91f15b1a1423849107775e11
          SHA512:608f95fa01b0ecfc45f81f8b1e56539f08aae01f5589e7ce98f150e6e6e580eed1e39910f0b39596bff68b1ce338f9d2cfb6727287ad644ec64bdf34be2e65ac
          SSDEEP:24576:Z+h5y9IA8yaw1fba/f84V6FXjhHavKVp7Ai4q0LD33bqJXCJIoYSUaJbjOpS/iqu:V
          TLSH:1616A431B13439D7C21F0435565FBD89430ABD83A3C66F8C518EFAF91EA69E7630690A
          File Content Preview:{\rtf1{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl6.\pnlcltr\pnstart1\pnindent720\pnhang {\pnt
          Icon Hash:e4eea2aaa4b4b4a4
          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
          00000128Dh2embeddedPackage1019559Client.exeC:\Path\Client.exeC:\Path\Client.exeno
          100207238h2embeddedEquation.33072no
          No network behavior found

          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:1
          Start time:17:41:16
          Start date:27/05/2022
          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Imagebase:0x13f840000
          File size:1423704 bytes
          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Target ID:2
          Start time:17:41:20
          Start date:27/05/2022
          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          Wow64 process (32bit):true
          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Imagebase:0x400000
          File size:543304 bytes
          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Target ID:3
          Start time:17:41:20
          Start date:27/05/2022
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:CmD.exe /C %tmp%\Client.exe A C
          Imagebase:0x4a540000
          File size:302592 bytes
          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Target ID:5
          Start time:17:41:21
          Start date:27/05/2022
          Path:C:\Users\user\AppData\Local\Temp\Client.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\Client.exe A C
          Imagebase:0x1340000
          File size:1019392 bytes
          MD5 hash:75C0471CCE805B589FDAF81D8D1D646C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.981449154.0000000003869000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Antivirus matches:
          • Detection: 100%, Joe Sandbox ML
          • Detection: 31%, Metadefender, Browse
          • Detection: 51%, ReversingLabs
          Reputation:low

          Target ID:8
          Start time:17:41:45
          Start date:27/05/2022
          Path:C:\Windows\SysWOW64\notepad.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\SysWOW64\notepad.exe
          Imagebase:0x830000
          File size:179712 bytes
          MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.962675676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.963199556.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.963479345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:moderate

          Target ID:9
          Start time:17:41:46
          Start date:27/05/2022
          Path:C:\Windows\SysWOW64\notepad.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\SysWOW64\notepad.exe
          Imagebase:0x830000
          File size:179712 bytes
          MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.966342475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.965795915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.966044835.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:moderate

          Target ID:10
          Start time:17:41:48
          Start date:27/05/2022
          Path:C:\Windows\SysWOW64\notepad.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\SysWOW64\notepad.exe
          Imagebase:0x830000
          File size:179712 bytes
          MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.969790709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.972609635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.973032461.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:moderate

          Target ID:11
          Start time:17:41:51
          Start date:27/05/2022
          Path:C:\Windows\SysWOW64\notepad.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\SysWOW64\notepad.exe
          Imagebase:0x830000
          File size:179712 bytes
          MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.975022068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.975431926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.975260613.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

          Target ID:12
          Start time:17:41:52
          Start date:27/05/2022
          Path:C:\Windows\SysWOW64\notepad.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\SysWOW64\notepad.exe
          Imagebase:0x830000
          File size:179712 bytes
          MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.977766193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.977308196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.977559635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

          Reset < >

            Execution Graph

            Execution Coverage:7.9%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:6.9%
            Total number of Nodes:87
            Total number of Limit Nodes:0
            execution_graph 9869 e838e0 9870 e838f6 9869->9870 9872 e83dd7 9869->9872 9873 e83df8 9872->9873 9878 e840d8 9872->9878 9881 e841c6 9872->9881 9885 e8418d 9872->9885 9889 e840c9 9872->9889 9873->9870 9879 e84118 9878->9879 9892 e851dc 9878->9892 9879->9873 9882 e841d5 9881->9882 9900 bb24e8 9882->9900 9886 e84197 9885->9886 9904 e8bd40 9886->9904 9891 e851dc VirtualProtect 9889->9891 9890 e84118 9890->9873 9891->9890 9893 e851e7 9892->9893 9896 e8b300 9893->9896 9897 e8b348 VirtualProtect 9896->9897 9899 e85516 9897->9899 9901 bb2528 VirtualAllocExNuma 9900->9901 9903 bb2568 9901->9903 9905 e8bd4c 9904->9905 9908 ba0a6e 9905->9908 9909 ba0a79 9908->9909 9911 e8b300 VirtualProtect 9909->9911 9910 ba0cdc 9911->9910 9912 bb22b0 9913 bb22f5 Wow64SetThreadContext 9912->9913 9915 bb233d 9913->9915 9972 bb2020 9973 bb2060 VirtualAllocEx 9972->9973 9975 bb209d 9973->9975 9976 bb1bc0 9977 bb1c51 9976->9977 9977->9977 9978 bb1dc4 CreateProcessA 9977->9978 9979 bb1e21 9978->9979 9979->9979 9980 bb21c0 9981 bb2208 WriteProcessMemory 9980->9981 9983 bb225f 9981->9983 9916 940678 9917 9406cd KiUserExceptionDispatcher 9916->9917 9919 660068 9920 660071 9919->9920 9938 f72907 9920->9938 9942 f72b26 9920->9942 9946 f72a1d 9920->9946 9950 f72d0a 9920->9950 9921 6600d2 9925 f72907 CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9921->9925 9926 f72b26 CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9921->9926 9927 f72a1d CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9921->9927 9922 660138 9928 f72907 CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9922->9928 9929 f72b26 CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9922->9929 9930 f72a1d CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9922->9930 9923 66013e 9931 f72907 CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9923->9931 9932 f72b26 CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9923->9932 9933 f72a1d CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent 9923->9933 9924 660144 9925->9922 9926->9922 9927->9922 9928->9923 9929->9923 9930->9923 9931->9924 9932->9924 9933->9924 9939 f72911 9938->9939 9955 f7cfc0 9939->9955 9943 f72b30 9942->9943 9945 f7cfc0 2 API calls 9943->9945 9944 f72b48 9945->9944 9947 f72a27 9946->9947 9949 f7cfc0 2 API calls 9947->9949 9948 f72a3b 9949->9948 9951 f72d14 9950->9951 9953 11f89c8 CheckRemoteDebuggerPresent 9951->9953 9954 11f89d0 CheckRemoteDebuggerPresent 9951->9954 9952 f72d5d 9953->9952 9954->9952 9957 f7cfea 9955->9957 9956 f72929 9957->9956 9960 11f89c8 9957->9960 9964 11f89d0 9957->9964 9961 11f8a10 CheckRemoteDebuggerPresent 9960->9961 9963 11f8a56 9961->9963 9963->9957 9965 11f8a10 CheckRemoteDebuggerPresent 9964->9965 9967 11f8a56 9965->9967 9967->9957 9968 11f8770 9969 11f87c2 LoadLibraryA 9968->9969 9971 11f8874 9969->9971 9984 11f8900 9985 11f8948 VirtualProtect 9984->9985 9987 11f8983 9985->9987

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5146 11f89d0-11f8a54 CheckRemoteDebuggerPresent 5149 11f8a5d-11f8aa0 5146->5149 5150 11f8a56-11f8a5c 5146->5150 5150->5149
            APIs
            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 011F8A47
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID: CheckDebuggerPresentRemote
            • String ID: 'Jf-
            • API String ID: 3662101638-399823065
            • Opcode ID: 61c99883f636cb0fec16e5923de361425103a18fb9cffe36a9df20edd913c77a
            • Instruction ID: 9bcaad59e69e2bf4d56f0db61420f522b34c1c04dd19f1a0aab534b3866e4e0c
            • Opcode Fuzzy Hash: 61c99883f636cb0fec16e5923de361425103a18fb9cffe36a9df20edd913c77a
            • Instruction Fuzzy Hash: 0F217C72D002098FCB04CFAAD4447EFBBF4AF89224F14882ED455B7241DB38AA44CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID: 9E$E
            • API String ID: 0-761820069
            • Opcode ID: e37e57a6b35188c007c57298f354329f4e94c505ff469061931e8c57b3515e5d
            • Instruction ID: 731adbb9b2d570c04bacd9daaddce0e83e368eeb4875cedb0391a618a5c08bf3
            • Opcode Fuzzy Hash: e37e57a6b35188c007c57298f354329f4e94c505ff469061931e8c57b3515e5d
            • Instruction Fuzzy Hash: AAE18F76B041198BCB18EBB4C9516EE76E2AFD9318F1584BAC00ADBB90FF34CD459B41
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID:
            • String ID: ED:.
            • API String ID: 0-56787385
            • Opcode ID: 5b1f0f7020e2e86d343cfb87e84e307015d2a064d74f7c495f28ff52c1b19488
            • Instruction ID: 5de8cd05681e936e26c4ca544d8d3f1ae934f235be35919d353b6dfe8b04b7ad
            • Opcode Fuzzy Hash: 5b1f0f7020e2e86d343cfb87e84e307015d2a064d74f7c495f28ff52c1b19488
            • Instruction Fuzzy Hash: 1651F736B046198BCB08DFA4EC9549EF7B2BFD8314B528525C406AB798DB709D02CBC0
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9304ad7129bf3dd7d6e40946cc51942addd237ec3275e76443a78c91dae31166
            • Instruction ID: 5b9ef2b6a4c90a1ffe53f13472ecc085fc4d3f5f6857dd33a88f87a44bccef02
            • Opcode Fuzzy Hash: 9304ad7129bf3dd7d6e40946cc51942addd237ec3275e76443a78c91dae31166
            • Instruction Fuzzy Hash: C2029076F045088BCB0CEBB8D8516ADB6A3AFD8258B1A482DD106DB794FF38DC05C791
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3308a510f9bd65587442e29a9c682b07c8bbb3d7b0c49c8a2695c9203631b151
            • Instruction ID: 9ecdee9abc1e5c4d3ddecdcfef708fe81fef12e60f4211fe1d40dc0b0b6e725b
            • Opcode Fuzzy Hash: 3308a510f9bd65587442e29a9c682b07c8bbb3d7b0c49c8a2695c9203631b151
            • Instruction Fuzzy Hash: 64613435B093818FC709DF78D8406AABBB2AFC5324B1584BED505CF6A6EB348D06CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5005 bb1bc0-bb1c5d 5007 bb1c5f-bb1c69 5005->5007 5008 bb1c96-bb1cb6 5005->5008 5007->5008 5009 bb1c6b-bb1c6d 5007->5009 5015 bb1cb8-bb1cc2 5008->5015 5016 bb1cef-bb1d1e 5008->5016 5010 bb1c6f-bb1c79 5009->5010 5011 bb1c90-bb1c93 5009->5011 5013 bb1c7b 5010->5013 5014 bb1c7d-bb1c8c 5010->5014 5011->5008 5013->5014 5014->5014 5017 bb1c8e 5014->5017 5015->5016 5018 bb1cc4-bb1cc6 5015->5018 5022 bb1d20-bb1d2a 5016->5022 5023 bb1d57-bb1e1f CreateProcessA 5016->5023 5017->5011 5020 bb1ce9-bb1cec 5018->5020 5021 bb1cc8-bb1cd2 5018->5021 5020->5016 5024 bb1cd6-bb1ce5 5021->5024 5025 bb1cd4 5021->5025 5022->5023 5026 bb1d2c-bb1d2e 5022->5026 5036 bb1e28-bb1eb8 5023->5036 5037 bb1e21-bb1e27 5023->5037 5024->5024 5027 bb1ce7 5024->5027 5025->5024 5028 bb1d51-bb1d54 5026->5028 5029 bb1d30-bb1d3a 5026->5029 5027->5020 5028->5023 5031 bb1d3e-bb1d4d 5029->5031 5032 bb1d3c 5029->5032 5031->5031 5033 bb1d4f 5031->5033 5032->5031 5033->5028 5046 bb1eba-bb1ebe 5036->5046 5047 bb1ec8-bb1ecc 5036->5047 5037->5036 5046->5047 5048 bb1ec0 5046->5048 5049 bb1ece-bb1ed2 5047->5049 5050 bb1edc-bb1ee0 5047->5050 5048->5047 5049->5050 5051 bb1ed4 5049->5051 5052 bb1ee2-bb1ee6 5050->5052 5053 bb1ef0-bb1ef4 5050->5053 5051->5050 5052->5053 5054 bb1ee8 5052->5054 5055 bb1f06-bb1f0d 5053->5055 5056 bb1ef6-bb1efc 5053->5056 5054->5053 5057 bb1f0f-bb1f1e 5055->5057 5058 bb1f24 5055->5058 5056->5055 5057->5058 5060 bb1f25 5058->5060 5060->5060
            APIs
            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00BB1E0C
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID: 'Jf-$'Jf-
            • API String ID: 963392458-3913403607
            • Opcode ID: 2bedacab04043b1bfed383f0e2a34cb30894d54f010b89fbbd32db74de405283
            • Instruction ID: e4da2f7bd01abf704e937f713888e406fb976301d9f6cfba40b3208ecabf2a01
            • Opcode Fuzzy Hash: 2bedacab04043b1bfed383f0e2a34cb30894d54f010b89fbbd32db74de405283
            • Instruction Fuzzy Hash: 6DA13A71D006198FDB20CFA9C8917EDBBF1FF48314F5489AAD819A6280DBB49985CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5061 11f8764-11f876d 5062 11f876f-11f8796 5061->5062 5063 11f8797-11f87ce 5061->5063 5062->5063 5065 11f8822-11f8872 LoadLibraryA 5063->5065 5066 11f87d0-11f87f5 5063->5066 5075 11f887b-11f88bb 5065->5075 5076 11f8874-11f887a 5065->5076 5066->5065 5069 11f87f7-11f87f9 5066->5069 5070 11f881c-11f881f 5069->5070 5071 11f87fb-11f8805 5069->5071 5070->5065 5073 11f8809-11f8818 5071->5073 5074 11f8807 5071->5074 5073->5073 5077 11f881a 5073->5077 5074->5073 5082 11f88bd-11f88c1 5075->5082 5083 11f88cb 5075->5083 5076->5075 5077->5070 5082->5083 5084 11f88c3 5082->5084 5085 11f88cc 5083->5085 5084->5083 5085->5085
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: 'Jf-$'Jf-
            • API String ID: 1029625771-3913403607
            • Opcode ID: 4130dd57aa2f1b92fc0f9ef8a92bf64e86c360bfa19b5f8322afad6eba35cc6a
            • Instruction ID: 5b0e6875532a36584562ddbf27583d9fd5deb991af8eac8198e94680e8b89ed6
            • Opcode Fuzzy Hash: 4130dd57aa2f1b92fc0f9ef8a92bf64e86c360bfa19b5f8322afad6eba35cc6a
            • Instruction Fuzzy Hash: 3E41BB70D006488FDB18DFA9E8847DEBFF1EF48304F14812EE915AB681DB785841CB81
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5086 11f8770-11f87ce 5088 11f8822-11f8872 LoadLibraryA 5086->5088 5089 11f87d0-11f87f5 5086->5089 5098 11f887b-11f88bb 5088->5098 5099 11f8874-11f887a 5088->5099 5089->5088 5092 11f87f7-11f87f9 5089->5092 5093 11f881c-11f881f 5092->5093 5094 11f87fb-11f8805 5092->5094 5093->5088 5096 11f8809-11f8818 5094->5096 5097 11f8807 5094->5097 5096->5096 5100 11f881a 5096->5100 5097->5096 5105 11f88bd-11f88c1 5098->5105 5106 11f88cb 5098->5106 5099->5098 5100->5093 5105->5106 5107 11f88c3 5105->5107 5108 11f88cc 5106->5108 5107->5106 5108->5108
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: 'Jf-$'Jf-
            • API String ID: 1029625771-3913403607
            • Opcode ID: 9438e5617abde02c49b60f2b8f3fde908c8c929bf4e101a25ce5e9046c1608c3
            • Instruction ID: c7218ac4dd67068e1a19d0055437bcbeafd3759d2dc36a3ec03eb3e156eb08ca
            • Opcode Fuzzy Hash: 9438e5617abde02c49b60f2b8f3fde908c8c929bf4e101a25ce5e9046c1608c3
            • Instruction Fuzzy Hash: BE418A70D006488FDB18DFA9E88479EBBF1EF48314F24852DE919E7384DB789845CB81
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5109 11f89c8-11f8a54 CheckRemoteDebuggerPresent 5112 11f8a5d-11f8aa0 5109->5112 5113 11f8a56-11f8a5c 5109->5113 5113->5112
            APIs
            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 011F8A47
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID: CheckDebuggerPresentRemote
            • String ID: 'Jf-$|(
            • API String ID: 3662101638-4108612692
            • Opcode ID: eec4beb7ee9818ee825bb07bb17ce35eeaac051b85670ea2c21bc388e10a6a76
            • Instruction ID: 968abcb2cedb9498887a63d9b9a11a1e2c3ea224adb5d23a2a729bfb55ee53d2
            • Opcode Fuzzy Hash: eec4beb7ee9818ee825bb07bb17ce35eeaac051b85670ea2c21bc388e10a6a76
            • Instruction Fuzzy Hash: 18219D72D002498FDB04CFAAD4447EEBBF4AF89324F14842ED855B7251DB389A44CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5117 bb2018-bb2063 5119 bb206a-bb209b VirtualAllocEx 5117->5119 5120 bb209d-bb20a3 5119->5120 5121 bb20a4-bb20c9 5119->5121 5120->5121
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00BB208E
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID: 'Jf-$Mh
            • API String ID: 4275171209-1147482742
            • Opcode ID: 866ccbfc6714f8114bde3f370e2820b94a1d17566c611c4fe4bb972a1b019fa5
            • Instruction ID: c9a16acb5a49fbfc0281de9faa6a866f2dde7a6a60a4f05c2b047d20bb914b8e
            • Opcode Fuzzy Hash: 866ccbfc6714f8114bde3f370e2820b94a1d17566c611c4fe4bb972a1b019fa5
            • Instruction Fuzzy Hash: 26116A75D002098FCB10DFA9D8447EFBBF5EF88314F24881AE515A7250CB799910CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5125 bb21b8-bb220e 5128 bb221e-bb225d WriteProcessMemory 5125->5128 5129 bb2210-bb221c 5125->5129 5131 bb225f-bb2265 5128->5131 5132 bb2266-bb2296 5128->5132 5129->5128 5131->5132
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00BB2250
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID: 'Jf-
            • API String ID: 3559483778-399823065
            • Opcode ID: 95a889e999d1bc65fa6a7b610748bf0f8c0417f18e2af74c12b861a78bf046d6
            • Instruction ID: ca3ccbb3b7d066b81fe2494cdeb965e286224c1763e9adcd670bc53b0ba0bf7b
            • Opcode Fuzzy Hash: 95a889e999d1bc65fa6a7b610748bf0f8c0417f18e2af74c12b861a78bf046d6
            • Instruction Fuzzy Hash: 6F213B75D002499FCF10CFA9D8847EEBBF5FF48314F14842AE918A7240C7789954CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5136 bb21c0-bb220e 5138 bb221e-bb225d WriteProcessMemory 5136->5138 5139 bb2210-bb221c 5136->5139 5141 bb225f-bb2265 5138->5141 5142 bb2266-bb2296 5138->5142 5139->5138 5141->5142
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00BB2250
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID: 'Jf-
            • API String ID: 3559483778-399823065
            • Opcode ID: 7a8b01569b97ffaee9979d5449480f1dc8dc13fd26317061b2191300c0da0928
            • Instruction ID: d43f769db5975c1c5eec96442645be92bf595d0677161aa5a24f7783bbd3072d
            • Opcode Fuzzy Hash: 7a8b01569b97ffaee9979d5449480f1dc8dc13fd26317061b2191300c0da0928
            • Instruction Fuzzy Hash: 302119719003499FCF10CFA9D884BEEBBF5FF48314F54882AE919A7241D778A954CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5154 bb22a8-bb22fb 5156 bb230b-bb230e 5154->5156 5157 bb22fd-bb2309 5154->5157 5158 bb2315-bb233b Wow64SetThreadContext 5156->5158 5157->5156 5159 bb233d-bb2343 5158->5159 5160 bb2344-bb2374 5158->5160 5159->5160
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00BB232E
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID: 'Jf-
            • API String ID: 983334009-399823065
            • Opcode ID: 7528429d8570000ae8300a0a985f7c0ff938358f2d4eec3bcc36a2c3e09d2671
            • Instruction ID: 6a7a26a34dc2499cde420ae4f6b232d2f059999ced2b20923206a1cc18ff4bda
            • Opcode Fuzzy Hash: 7528429d8570000ae8300a0a985f7c0ff938358f2d4eec3bcc36a2c3e09d2671
            • Instruction Fuzzy Hash: 27213A71D002098FCB10CFAAD4847EEBBF5EF88314F55842ED419A7241DB789945CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5164 bb22b0-bb22fb 5166 bb230b-bb233b Wow64SetThreadContext 5164->5166 5167 bb22fd-bb2309 5164->5167 5169 bb233d-bb2343 5166->5169 5170 bb2344-bb2374 5166->5170 5167->5166 5169->5170
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00BB232E
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID: 'Jf-
            • API String ID: 983334009-399823065
            • Opcode ID: b72aa4125ce2fc41a3bd0af36f078469524ebe29d57a99b49314e2d1698bd492
            • Instruction ID: d177c8a626124798760cce80a352e8b0a3c67bcd067b208dbe362e6e6b0cad87
            • Opcode Fuzzy Hash: b72aa4125ce2fc41a3bd0af36f078469524ebe29d57a99b49314e2d1698bd492
            • Instruction Fuzzy Hash: 88212771D002098FCB10DFAAD4847EFBBF4EF88314F64842AD519A7241DB78AA45CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5182 11f8900-11f8981 VirtualProtect 5185 11f898a-11f89ba 5182->5185 5186 11f8983-11f8989 5182->5186 5186->5185
            APIs
            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 011F8974
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978563323.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_11e0000_Client.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: 'Jf-
            • API String ID: 544645111-399823065
            • Opcode ID: 87c16a8bf9998a8f40c3daa29f448d04b2e3ada0de44315898b44cd500b4b637
            • Instruction ID: 5e662597998535ef5f9e48291b7af1a956a0e65d68e7e85d24a0dc24645cd5d7
            • Opcode Fuzzy Hash: 87c16a8bf9998a8f40c3daa29f448d04b2e3ada0de44315898b44cd500b4b637
            • Instruction Fuzzy Hash: FC2115719002099FCB10DFAAD444BEEFBF4AF88224F54882AD519A7240DB78A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5174 e8b300-e8b381 VirtualProtect 5177 e8b38a-e8b3ba 5174->5177 5178 e8b383-e8b389 5174->5178 5178->5177
            APIs
            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00E8B374
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978515340.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_e80000_Client.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: 'Jf-
            • API String ID: 544645111-399823065
            • Opcode ID: d571a95222aaa9457babc970b1b4654e86cd74f40e0636891681a2d2052c8ee6
            • Instruction ID: 38e24ff359badf4a3bf9dfb74fcc5e743fdd8a84b89d5f5b7929211cc0a43019
            • Opcode Fuzzy Hash: d571a95222aaa9457babc970b1b4654e86cd74f40e0636891681a2d2052c8ee6
            • Instruction Fuzzy Hash: 462118719002099FCB10DFAAD4447EEBBF4AF88314F54842AD419A7240DB78A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5190 bb24e8-bb2566 VirtualAllocExNuma 5193 bb2568-bb256e 5190->5193 5194 bb256f-bb2594 5190->5194 5193->5194
            APIs
            • VirtualAllocExNuma.KERNELBASE(?,00000000,?,?,?,?), ref: 00BB2559
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: AllocNumaVirtual
            • String ID: 'Jf-
            • API String ID: 4233825816-399823065
            • Opcode ID: 86399bc2157f67495ee7cf3476cebdd415672017c9813436f1a072745d58953e
            • Instruction ID: 38854be644943f89a5a106772d6bbc11eb19ede7018a30333a409803fa3937ad
            • Opcode Fuzzy Hash: 86399bc2157f67495ee7cf3476cebdd415672017c9813436f1a072745d58953e
            • Instruction Fuzzy Hash: BF11F9729002099FCB10DFA9D844BDFBBF5EF88314F24881AE519A7650CB79A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00BB208E
            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978467944.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_bb0000_Client.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID: 'Jf-
            • API String ID: 4275171209-399823065
            • Opcode ID: 118e4e0d932f53a0ae451cfbc596038b6c06311fa1f3c506cfdf3d27d9369e5c
            • Instruction ID: 35cf5712b57efb6349830887d43054440a0292af2b0858ef7ef1b4dee3849e79
            • Opcode Fuzzy Hash: 118e4e0d932f53a0ae451cfbc596038b6c06311fa1f3c506cfdf3d27d9369e5c
            • Instruction Fuzzy Hash: BD114C719002099FCF10DFA9D8447DFBBF5EF88314F24881AD515A7250CB79A950CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978449162.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_ba0000_Client.jbxd
            Similarity
            • API ID:
            • String ID: (v $d
            • API String ID: 0-2805386608
            • Opcode ID: d611f2602f4bd79f51028e8a1fb703cb0ad1d38e80b30a8284514cc1a20094ff
            • Instruction ID: d8b2789aa8e563c880e4fbe7161982f787ea3f3242d92c2f6d46f4fc755f68ed
            • Opcode Fuzzy Hash: d611f2602f4bd79f51028e8a1fb703cb0ad1d38e80b30a8284514cc1a20094ff
            • Instruction Fuzzy Hash: 1F616DB4E012288FDBA5DF68C8987D9BBF1AB49304F1081EA950DE7355EB349E858F40
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • KiUserExceptionDispatcher.NTDLL ref: 00940710
            Memory Dump Source
            • Source File: 00000005.00000002.978380833.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_940000_Client.jbxd
            Similarity
            • API ID: DispatcherExceptionUser
            • String ID:
            • API String ID: 6842923-0
            • Opcode ID: 74ff76bf7129dab9360a6ac22d68608d7de2ace48666cd6eef05fce522c7e9c9
            • Instruction ID: f99f4ec82309959915b2e532637030f7b82f0aa70e1e9b6685d8a4908fca366c
            • Opcode Fuzzy Hash: 74ff76bf7129dab9360a6ac22d68608d7de2ace48666cd6eef05fce522c7e9c9
            • Instruction Fuzzy Hash: D211346155E3D24FC7A387208CAADA53FB4999321430E41DEC5C58F1E7E628980ADB93
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • KiUserExceptionDispatcher.NTDLL ref: 00940710
            Memory Dump Source
            • Source File: 00000005.00000002.978380833.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_940000_Client.jbxd
            Similarity
            • API ID: DispatcherExceptionUser
            • String ID:
            • API String ID: 6842923-0
            • Opcode ID: 2cb182e30fcf2fdb5f5517a4706ca24aeb01292379e2237e1e5e0186fe249447
            • Instruction ID: 83940ca905dd334c9c2591d33726c0b7d0632467b89f360501b3a2f33f9660ea
            • Opcode Fuzzy Hash: 2cb182e30fcf2fdb5f5517a4706ca24aeb01292379e2237e1e5e0186fe249447
            • Instruction Fuzzy Hash: CF01692240E3D14FCB2383744CA9D653F708E9322834E06CBC582CF1E7EA28480AC7A2
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978413914.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_9c0000_Client.jbxd
            Similarity
            • API ID:
            • String ID: #W@
            • API String ID: 0-494063641
            • Opcode ID: de757fcedd4f8928635ec0ed23d23981fc8a0b4068b806ee29df4d725bab557e
            • Instruction ID: ba0c025d08af743762b415704eb2270a4e07c6678fa89c4b812b5f61bd062ac7
            • Opcode Fuzzy Hash: de757fcedd4f8928635ec0ed23d23981fc8a0b4068b806ee29df4d725bab557e
            • Instruction Fuzzy Hash: 4C017C79E002098FCB54CFA4D984B9D7BF6AB95300F28C1A98406EB759E7789C458B42
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.981782014.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_5050000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9266aacf3c349cf7fe95ec9be97f5e19d3200431500f034e4fcb096362773b03
            • Instruction ID: d7a72e79b2ae5b013d9970c3f2cff4d5e74aea3a43bbdd42eb735a1afe14974f
            • Opcode Fuzzy Hash: 9266aacf3c349cf7fe95ec9be97f5e19d3200431500f034e4fcb096362773b03
            • Instruction Fuzzy Hash: ADC1B47AE012058FDB18CF74DD5969DBBB2EB98314F1880E6D409EB755EB349E848F00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978621287.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1210000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2ccf5c179d056c406ac78394dc28a070c92df8c369b0cb3c48bb0f7729bd5264
            • Instruction ID: 05088920625b8123cf0f7ec5285e36159bb447bca2cc8d858d0394ae7c1a0c6d
            • Opcode Fuzzy Hash: 2ccf5c179d056c406ac78394dc28a070c92df8c369b0cb3c48bb0f7729bd5264
            • Instruction Fuzzy Hash: E0412339F141259FCB08EF68D94156EBBB6AFC9200B1244A6D506AB369EB70DD41CB81
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978449162.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_ba0000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2249a10508d7c686607ed6a60ab7f5a95c1b30fd81c3376b9acfc9613476eb56
            • Instruction ID: 17059c53a48a1500a0d2f0fe130313473362bd2384e32b386c59110ffcd93c5d
            • Opcode Fuzzy Hash: 2249a10508d7c686607ed6a60ab7f5a95c1b30fd81c3376b9acfc9613476eb56
            • Instruction Fuzzy Hash: 2F313775B081049FD718DB68C494A6E77E6EFC5328F258068E91ADB390DF70DC428BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978207170.0000000000660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_660000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c47a8096f61ec1aea1db256af4abb5560ccf38b44739f37e45331bd460473239
            • Instruction ID: f357d6b2872d01207fd1ea25e83294fbdeccb2971d7a6ab240106808bdb462b5
            • Opcode Fuzzy Hash: c47a8096f61ec1aea1db256af4abb5560ccf38b44739f37e45331bd460473239
            • Instruction Fuzzy Hash: 0E21F538711A24CFCB58EB78E85C99D7BE6AF4921972245A9E106CB775EF309C00CB81
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1ab0b60048447960a07157a6fa6fcbd98436e0e463c1259a8d3c3d5edd7f1270
            • Instruction ID: 2446ebd23995bacfcf9ff770b9a771ea5cb678b78573a8fb1ff64e8297cabc3f
            • Opcode Fuzzy Hash: 1ab0b60048447960a07157a6fa6fcbd98436e0e463c1259a8d3c3d5edd7f1270
            • Instruction Fuzzy Hash: 59F018B5A002148FCF58EBB4C99555DB7B2AF88208F2084AA940AE7351EF35DE41CF40
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b55aea6302a8f723148cc0b73a7b07e9ead5474eae15a8532ab73ea6d21b2b32
            • Instruction ID: 91a3e1edb50fed52cf09f8d105e0ed553bfa49759f45f52fcf81dd9208e74170
            • Opcode Fuzzy Hash: b55aea6302a8f723148cc0b73a7b07e9ead5474eae15a8532ab73ea6d21b2b32
            • Instruction Fuzzy Hash: EEF03A76B006048FCB04EFB4D998A5D7BE2BF98308B1584A9D00ADB371EF34CC018B40
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3b6a29cb618b085b9ffbf8bc63f590e56292cde6184feccadf2694d73a35675c
            • Instruction ID: f9a2a149ad18fa8ec8e5e40dc8591db895a7a465b35982e6115ba359985c96b3
            • Opcode Fuzzy Hash: 3b6a29cb618b085b9ffbf8bc63f590e56292cde6184feccadf2694d73a35675c
            • Instruction Fuzzy Hash: 2AE01276B046188FCB48EFB4D95DA5D7BE2AF98208B1144AAD10AEB764EF34CC408F45
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e6c8b4ff839412b85b401d2a594ce0270917110927ed297bf6684712fe6e0f0f
            • Instruction ID: 90ae1a1ab9bd5f1ffc2f86c495cc3656d825af7293c5673d643563b52ff156cb
            • Opcode Fuzzy Hash: e6c8b4ff839412b85b401d2a594ce0270917110927ed297bf6684712fe6e0f0f
            • Instruction Fuzzy Hash: 32E08C37B253184BCF086BF4A9691AD3AD36F8824C305082AC007C7790FF788C048744
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978413914.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_9c0000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c89dc1a70f716cc6b7f33318290e852e8454e59c42ca5b3c6d5689ef678497f
            • Instruction ID: 02261a3c15d60bc3576d34744536591688e2284217e7adcfc92dce77e6de5669
            • Opcode Fuzzy Hash: 3c89dc1a70f716cc6b7f33318290e852e8454e59c42ca5b3c6d5689ef678497f
            • Instruction Fuzzy Hash: 95D092A994F7E09FCE031331189C2A43FB49CD325078A00C7D4D2CF5A3E528491F9722
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.981782014.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_5050000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
            • Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
            • Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
            • Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID: ^F7$CU|
            • API String ID: 0-844741360
            • Opcode ID: ff2875a2df0f6d397c559c69e9868ac2d2a4a83086cc169266312c4aa0db5193
            • Instruction ID: 341ee3388d02c80b6f08e10d3917bcf3c7a6ada5f6f555ebd0520dd1021ea26e
            • Opcode Fuzzy Hash: ff2875a2df0f6d397c559c69e9868ac2d2a4a83086cc169266312c4aa0db5193
            • Instruction Fuzzy Hash: B991B637F001144BCB18E7F4D8252AE7AE69F8C268B158476D80AEB7A4FF34DC059B91
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000005.00000002.978621287.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_1210000_Client.jbxd
            Similarity
            • API ID:
            • String ID: ,C'
            • API String ID: 0-2957561659
            • Opcode ID: 4208a30a3289a1ea75b2a3f978344bbfd2770b85a5790d165a9ff27d27827a74
            • Instruction ID: 7632fc82271792219017c98a89bca6f3461ca9d8356c7cc777a7b0ec7ccca5a3
            • Opcode Fuzzy Hash: 4208a30a3289a1ea75b2a3f978344bbfd2770b85a5790d165a9ff27d27827a74
            • Instruction Fuzzy Hash: 7E81DF76F101249FCB14EBBCE88159C77E3ABDC258B1A8566D40AEB755EF309E04CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 95c15fbe7cd2c55d5402d60619b1793ecd935ac161680ffdae537e0106c502fa
            • Instruction ID: f8e2373f352c59d7ff9bbaa4bc70123aaafe8f3f59deea42b0dadaadb2fe24c6
            • Opcode Fuzzy Hash: 95c15fbe7cd2c55d5402d60619b1793ecd935ac161680ffdae537e0106c502fa
            • Instruction Fuzzy Hash: 11718476F045288BCB18EFB4D95169DB7A2AF9831CF1580AAC04EEB754FF349D409B81
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000005.00000002.978534312.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_f70000_Client.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e2ba95774cc242e5a6220e4b27215b2248d7f664619e3beac83f6072ca85fb14
            • Instruction ID: bbadc4ff3ae9fa9fb57b719802ac2667ba61e0c91056e62f17f864f56d145445
            • Opcode Fuzzy Hash: e2ba95774cc242e5a6220e4b27215b2248d7f664619e3beac83f6072ca85fb14
            • Instruction Fuzzy Hash: C951957AF001188BDB54DBA5DD6569DB7E2AFD431CF0541AA800EEB754FF388E448B81
            Uniqueness

            Uniqueness Score: -1.00%