Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520 (renamed file extension from 1520 to rtf)
Analysis ID:	680332
MD5:	26111b2647fc8b1e3e123e825f716b94
SHA1:	131907f569a2774c1800430ccf052896dc685ec0
SHA256:	7d4a1c05f377343f063e0b265fc85f928b59f0cd88914f2b2715c4a25c734838
Tags:	rtf
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Document contains OLE streams which likely are hidden ActiveX objects

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Office process drops PE file

Writes to foreign memory regions

Document contains OLE streams with names of living off the land binaries

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Found potential equation exploit (CVE-2017-11882)

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

PE file has nameless sections

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found suspicious RTF objects

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Document contains Microsoft Equation 3.0 OLE entries

Searches the installation path of Mozilla Firefox

Enables debug privileges

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Office Equation Editor has been started

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Creates a window with clipboard capturing capabilities

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf

ReversingLabs: Detection: 14%

Yara detected FormBook

Source: Yara match	File source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

ReversingLabs: Detection: 21%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.0.notepad.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.notepad.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.bookmarkfiles.info/aekc/"], "decoy": ["RMXvmWv1T8LnwQ==", "Eihj8MxKqewaukr9kA==", "+g6zzMM6GRqNBkX3uOBoqQ==", "pWRxiwc2Bfok7RT5", "vPwdzH5MqglB6x8BBR1yrw==", "MjC+3B4RiO87RDzpmA==", "38QEn2bgSsIbukr9kA==", "H/gg2eB11REpukr9kA==", "nR93HiGa/mm/l+rJcb0fzd3Ys9oH32E71g==", "1tdkeMK6HwpkdW9G/kFSNwwB2TiAJg==", "oxrGgFLiVZy7cJxgKmur4bIu", "1dZdfsq5k9TlwQ+5duE=", "b0J+ndKQ9h05o6NV8lOr4bIu", "fjfP53bwT8LnwQ==", "hTvn/If7T8LnwQ==", "FDzSk+QA0/1P", "9jlCyLJev/gnukr9kA==", "hRGrJJDDvPMQTa2POpTalloPghMa", "ioI1Oi/bWM0DVVpH/GXBQtDC3A==", "7Qq8yL5gzg702uLu", "9aS3x0Ry6dY4ZZ99S5PKQtDC3A==", "yMYCrLpn10a3R1E1AFOv6ack", "w8w/bvcWATu7PDDwfd0JuYgI0A==", "NTbg7NdXVle3N1Pu0CUw", "OQQbz5yH+jOxwQ+5duE=", "qTrBdXUWf8vwGBk=", "oi21Ou1SR37/pPq9U7m6Nz8E2TiAJg==", "l9PJcHotT8LnwQ==", "K/QPqqhuzMkB7PjYiKZAb3I=", "roGw5GmYgsUk7RT5", "gTxXZNw8T8LnwQ==", "5N+VzPa9HhZ0f3pRGniEeDcs3PI=", "CeIVuGevoMbvN5Fr/GCr4bIu", "hkZ+riVUPmvvfHcYBlWl36Yl1A==", "nOfvBG59bKkwzdeNIYPFQtDC3A==", "W57fbAhOOkGdGkIAo/NP/cqJ4vQ=", "E8tuxTQzaqZB", "ugwnTscE8fYk7RT5", "JrAINpN+XL0d4hLnlek=", "qESZmsanHEjMukr9kA==", "/v06r9lmzw==", "W/CcThAzaqZB", "xML0nKZguwUN8QY=", "5XIhrh0dlLk/oBZibInIQtDC3A==", "Z3C7ZmwGA/ok7RT5", "DRi50wcM+2wQsQLoicXEOQGAKNP232E71g==", "AF+XxB0kk4HhnuLXn/My8Ho=", "HGucKuFQc/pymOzcmA==", "voOmzEFjVr0JRm5E+l2r4bIu", "ddDg/GlYzfQZ5iHve6ZAb3I=", "XBxNffL72iGfJX1tbaKguA==", "MxhV44jVxD+PGPbYmA==", "0WeywuzZvww2iA/WfPY=", "1myvw0eaf6gklfODaZ4sYmw=", "SOOWE3prlNJZ", "MTC9xPPkUjxsT0kf1DN/SAx8OvRxRA6h", "0JyrUE8FaI8iJxvXdqZAb3I=", "Hd4mSndaPXTmig/WfPY=", "11PeMCuzsqHVJ0nu0CUw", "0iQvcErbTcQcukr9kA==", "LH+NhcKpDC1XGHbu0CUw", "gThzlciV/PsyEVPxn/Q67no=", "lIgXFAarBzy5uA+5duE=", "31gOPnVkSwUN8QY="]}

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe			Jump to behavior

Found potential equation exploit (CVE-2017-11882)

Source:

Static RTF information: Object: 1 Offset: 001DF7BDh

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.dr

Stream path '_1721465588/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: notepad.pdb source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1042200687.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.945235876.00000000001F0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.946852409.0000000000970000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbx source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: napstat.pdb source: notepad.exe, 00000009.00000003.1038035602.000000000088C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1039905006.00000000002E0000.00000040.10000000.00040000.00000000.sdmp

Source: global traffic	DNS query: name: www.magadirect.co.uk
Source: global traffic	DNS query: name: www.sqlite.org
Source: global traffic	DNS query: name: www.luanaterra.online
Source: global traffic	DNS query: name: www.hogogala.com

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
Source: global traffic	TCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
Source: global traffic	TCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
Source: global traffic	TCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172

Source: C:\Windows\explorer.exe	Domain query: www.magadirect.co.uk
Source: C:\Windows\explorer.exe	Network Connect: 45.33.18.44 80			Jump to behavior

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 08 Aug 2022 10:08:49 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeDate: Mon, 08 Aug 2022 10:09:09 GMTContent-type: text/html; charset=utf-8Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 39 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 31 34 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 30 38 30 37 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 0a Data Ascii: <head><title lineno="390">Not Found</title></head><body><h1>Document Not Found</h1>The document /2014/sqlite-dll-win32-x86-3080700.zip is not available on this server</body>

Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Client.exe, 00000005.00000002.947458698.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000000.1008328661.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000A.00000000.976786692.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.978377131.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010833057.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993943393.0000000008611000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 0000000A.00000000.1010360758.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995439916.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979257547.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.950353171.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.994846785.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979787030.000000000880D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.992888492.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011293822.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993114505.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010156944.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.976835880.00000000084D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.1029291046.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.986329833.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.958357895.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 0000000A.00000000.988586812.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1006236115.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.968187098.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: global traffic	HTTP traffic detected: GET /aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM HTTP/1.1Host: www.magadirect.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /2014/sqlite-dll-win32-x86-3080700.zip HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.sqlite.orgConnection: Keep-Alive

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Client.exe PID: 2948, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: notepad.exe PID: 2496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NAPSTAT.EXE PID: 204, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, type: DROPPED	Matched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F13B0	5_2_001F13B0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F3618	5_2_001F3618
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F4AB9	5_2_001F4AB9
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001FA060	5_2_001FA060
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F4AC8	5_2_001F4AC8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_003403E5	5_2_003403E5
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00B59CB0	5_2_00B59CB0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00B59EF0	5_2_00B59EF0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00B59AE0	5_2_00B59AE0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00B5A4E8	5_2_00B5A4E8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00B56C10	5_2_00B56C10
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00B59920	5_2_00B59920
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C40048	5_2_04C40048
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C40548	5_2_04C40548
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C4050C	5_2_04C4050C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E163	9_2_0041E163
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E166	9_2_0041E166
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041F9AA	9_2_0041F9AA
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041EA20	9_2_0041EA20
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0040E330	9_2_0040E330
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041EC09	9_2_0041EC09
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00409DD0	9_2_00409DD0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041F584	9_2_0041F584
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402D8B	9_2_00402D8B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E7ED	9_2_0041E7ED
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B1E0C6	9_2_00B1E0C6
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B4D005	9_2_00B4D005
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B9D06D	9_2_00B9D06D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B3905A	9_2_00B3905A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B23040	9_2_00B23040
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B1E2E9	9_2_00B1E2E9
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BC1238	9_2_00BC1238
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BC63BF	9_2_00BC63BF
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B463DB	9_2_00B463DB
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B1F3CF	9_2_00B1F3CF
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B22305	9_2_00B22305
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B6A37B	9_2_00B6A37B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B27353	9_2_00B27353
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B55485	9_2_00B55485
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B31489	9_2_00B31489
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BA443E	9_2_00BA443E
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B5D47D	9_2_00B5D47D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B3C5F0	9_2_00B3C5F0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BA05E3	9_2_00BA05E3
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B2351F	9_2_00B2351F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B66540	9_2_00B66540
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B24680	9_2_00B24680
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B2E6C1	9_2_00B2E6C1
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B6A634	9_2_00B6A634
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BC2622	9_2_00BC2622
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B2C7BC	9_2_00B2C7BC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BA579A	9_2_00BA579A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B557C3	9_2_00B557C3
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BBF8EE	9_2_00BBF8EE
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B9F8C4	9_2_00B9F8C4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B4286D	9_2_00B4286D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B2C85C	9_2_00B2C85C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B229B2	9_2_00B229B2
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BC098E	9_2_00BC098E
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B369FE	9_2_00B369FE
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BA5955	9_2_00BA5955
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BA394B	9_2_00BA394B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BD3A83	9_2_00BD3A83
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BCCBA4	9_2_00BCCBA4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BADBDA	9_2_00BADBDA
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BA6BCB	9_2_00BA6BCB
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B47B00	9_2_00B47B00
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00BBFDDD	9_2_00BBFDDD
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B50D3B	9_2_00B50D3B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B2CD5B	9_2_00B2CD5B

Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00B6373B appears 217 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00B63F92 appears 116 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00B8F970 appears 80 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00B1DF5C appears 111 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00B1E2A8 appears 37 times

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F24A0 NtQuerySystemInformation,	5_2_001F24A0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F2498 NtQuerySystemInformation,	5_2_001F2498
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00E9DC10 NtSetContextThread,	5_2_00E9DC10
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00E9D1F0 NtProtectVirtualMemory,	5_2_00E9D1F0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00E9CD08 NtAllocateVirtualMemory,	5_2_00E9CD08
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00E9F100 NtResumeThread,	5_2_00E9F100
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00E9D700 NtWriteVirtualMemory,	5_2_00E9D700
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C4B8D8 NtCreateThreadEx,	5_2_04C4B8D8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C4B3F8 NtWriteVirtualMemory,	5_2_04C4B3F8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041AD40 NtCreateFile,	9_2_0041AD40
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041ADF0 NtReadFile,	9_2_0041ADF0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041AE70 NtClose,	9_2_0041AE70
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041AF20 NtAllocateVirtualMemory,	9_2_0041AF20
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041AD3A NtCreateFile,	9_2_0041AD3A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041AE6A NtClose,	9_2_0041AE6A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041AF1A NtAllocateVirtualMemory,	9_2_0041AF1A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B100C4 NtCreateFile,LdrInitializeThunk,	9_2_00B100C4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B10078 NtResumeThread,LdrInitializeThunk,	9_2_00B10078
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B10048 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_00B10048
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B107AC NtCreateMutant,LdrInitializeThunk,	9_2_00B107AC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0F9F0 NtClose,LdrInitializeThunk,	9_2_00B0F9F0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0F900 NtReadFile,LdrInitializeThunk,	9_2_00B0F900
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_00B0FAE8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_00B0FAD0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FBB8 NtQueryInformationToken,LdrInitializeThunk,	9_2_00B0FBB8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_00B0FB68
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FC90 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_00B0FC90
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FC60 NtMapViewOfSection,LdrInitializeThunk,	9_2_00B0FC60
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FD8C NtDelayExecution,LdrInitializeThunk,	9_2_00B0FD8C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_00B0FDC0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FEA0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_00B0FEA0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_00B0FED0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FFB4 NtCreateSection,LdrInitializeThunk,	9_2_00B0FFB4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B110D0 NtOpenProcessToken,	9_2_00B110D0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B10060 NtQuerySection,	9_2_00B10060
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B101D4 NtSetValueKey,	9_2_00B101D4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B1010C NtOpenDirectoryObject,	9_2_00B1010C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B11148 NtOpenThread,	9_2_00B11148
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0F8CC NtWaitForSingleObject,	9_2_00B0F8CC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B11930 NtSetContextThread,	9_2_00B11930
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0F938 NtWriteFile,	9_2_00B0F938
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FAB8 NtQueryValueKey,	9_2_00B0FAB8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FA20 NtQueryInformationFile,	9_2_00B0FA20
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FA50 NtEnumerateValueKey,	9_2_00B0FA50
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FBE8 NtQueryVirtualMemory,	9_2_00B0FBE8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FB50 NtCreateKey,	9_2_00B0FB50
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FC30 NtOpenProcess,	9_2_00B0FC30
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B10C40 NtGetContextThread,	9_2_00B10C40
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FC48 NtSetInformationFile,	9_2_00B0FC48
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B11D80 NtSuspendThread,	9_2_00B11D80
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B0FD5C NtEnumerateKey,	9_2_00B0FD5C

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: winsqlite3.dll	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_01185096 push 00000020h; iretd	5_2_01185099
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_01189ABE push ebx; ret	5_2_01189B10
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_011828DB pushfd ; retf	5_2_011828DC
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_011854E3 push 00000020h; iretd	5_2_011854E6
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001FA050 push eax; retf 001Eh	5_2_001FA051
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F907A push esp; ret	5_2_001F9091
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F9092 pushfd ; ret	5_2_001F9111
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001FAA30 push eax; iretd	5_2_001FAA31
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001FAA50 pushad ; iretd	5_2_001FAA51
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F8EDD push eax; retn 001Eh	5_2_001F8ED9
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001F8ED8 push eax; retn 001Eh	5_2_001F8ED9
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C43EA9 push 03682C01h; ret	5_2_04C43EB9
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C4381A push 800FD82Bh; retf 006Dh	5_2_04C4381F
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C4301A push 800FD82Bh; retf 0075h	5_2_04C4301F
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C4371A push 800FD82Bh; retf 006Eh	5_2_04C4371F
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C632BC push 800FD82Bh; retf	5_2_04C632C1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C642B8 push 800FD82Bh; iretd	5_2_04C642BD
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C647BD push 800FD82Bh; retf 005Fh	5_2_04C647C2
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C63DBB push 800FF02Bh; retf 0069h	5_2_04C63DC2
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C64FB8 push 800FC303h; iretd	5_2_04C64FBD
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04C61B75 push 800FC303h; retn 0002h	5_2_04C61B7C
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04E4585D push 800FD82Bh; retf	5_2_04E45888
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E075 push eax; ret	9_2_0041E0C8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0040880F push ebx; iretd	9_2_00408810
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E0C2 push eax; ret	9_2_0041E0C8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_004140CB push 00000011h; retf	9_2_004140CD
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E0CB push eax; ret	9_2_0041E132
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041B11A push edi; retf	9_2_0041B11B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E12C push eax; ret	9_2_0041E132
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0040D2D0 pushfd ; retf	9_2_0040D348
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00406AE4 push ebp; ret	9_2_00406AE5

Source: Client.exe.0.dr	Static PE information: section name: bdzG4e
Source: Client.exe.0.dr	Static PE information: section name:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1404	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2652	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: explorer.exe, 0000000A.00000000.1006484314.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000A.00000000.1011618925.0000000008844000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000A.00000000.1011618925.0000000008844000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000A.00000000.968063390.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 0000000A.00000000.1027105135.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 0000000A.00000000.968616738.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.1006484314.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 0000000A.00000000.968063390.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: EQNEDT32.EXE, 00000002.00000003.898154429.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Vmcicda.dll
Source: explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Windows Analysis Report SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B00080 mov ecx, dword ptr fs:[00000030h]	9_2_00B00080
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B000EA mov eax, dword ptr fs:[00000030h]	9_2_00B000EA
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B226F8 mov eax, dword ptr fs:[00000030h]	9_2_00B226F8

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section unmapped: C:\Windows\SysWOW64\notepad.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: A00000	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section unmapped: C:\Program Files (x86)\Mozilla Firefox\firefox.exe base address: 190000	Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 80000	Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Thread register set: target process: 1860	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Thread register set: target process: 1860	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Thread register set: target process: 1860	Jump to behavior

Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027690828.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027690828.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation			Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.33.6.223	www.sqlite.org	United States		63949	LINODE-APLinodeLLCUS	false
45.33.18.44	www.magadirect.co.uk	United States		63949	LINODE-APLinodeLLCUS	true