Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.27077

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.27077 (renamed file extension from 27077 to rtf)
Analysis ID:	680530
MD5:	a5b0c571197ee2931e12f11caf138eff
SHA1:	a4355fe45e321b99274f8000c5ac9c08f7146b28
SHA256:	00915bcbff87b2e195e1547df8e1944cadcdc6aa46beb130bd5a960dff01c7e3
Tags:	rtf
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected FormBook

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Document contains OLE streams which likely are hidden ActiveX objects

Document exploit detected (creates forbidden files)

Antivirus detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Office process drops PE file

Writes to foreign memory regions

Document contains OLE streams with names of living off the land binaries

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Found potential equation exploit (CVE-2017-11882)

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found suspicious RTF objects

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Document contains Microsoft Equation 3.0 OLE entries

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Office Equation Editor has been started

Checks if the current process is being debugged

Creates a window with clipboard capturing capabilities

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Yara detected FormBook

Source: Yara match	File source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5A3C8D88-A016-4151-9911-DB6F195FA0DD}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.colorcpl.exe.490000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.notepad.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.notepad.exe.220000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.2.notepad.exe.310828.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.notepad.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.notepad.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.colorcpl.exe.490000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.2.notepad.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.kambilemuntupan.space/sy31/"], "decoy": ["saranatv.online", "xwrwdl.xyz", "tradecoin-investments.com", "cas-559.com", "liandli.biz", "hexglow.com", "jewelstorefront.com", "fukkd.com", "peliculasponder.com", "zourasecuritieslitgation.com", "armaxglobal.com", "postnarkapp.com", "wordhardeatbold.com", "greatdanedirects.site", "expressbelgium.com", "sophie-allport.com", "say-it-loud.org.uk", "selltoejfast.com", "kasaautomotriz.com", "stalkingbigcarp.site", "floral-poetry.com", "tacobellsurvey.xyz", "expansioncon.com", "208573.com", "expocartoon.com", "sakkaboom.site", "brewat.online", "alien-store.store", "beachdaygames.com", "sidedishpgh.com", "weekpaidhouse.top", "serv3can.online", "cumbreenvases.com", "wxfssl.com", "noahsdata.com", "e-blmail.org.uk", "swampkmaj.com", "idyllnewfoundland.com", "aerobrasil.net", "makotog4blog.com", "manuacevedo.com", "awakenedsaints.com", "hwps.us", "roxycinemamiddlesbrough.com", "am023.ltd", "xc-novel.com", "credit-cards-96409.com", "robotica-electronica.com", "syglhs.com", "zlhcyljy.com", "glanceid.net", "victoring.com", "d08765.com", "lazada44.com", "fernielodging.company", "mysiriusgear.com", "universalemotions.com", "jfql.xyz", "risingsauce.com", "scotwastebathgate.co.uk", "clarencesp.com", "adiversaoemfailia.online", "brandisaw.xyz", "3670tom.com"]}

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe			Jump to behavior

Found potential equation exploit (CVE-2017-11882)

Source:

Static RTF information: Object: 1 Offset: 001E86A2h

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{5A3C8D88-A016-4151-9911-DB6F195FA0DD}.tmp.0.dr

Stream path '_1721489228/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: colorcpl.pdb source: notepad.exe, 00000009.00000002.1020603696.00000000002F4000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1020465299.0000000000220000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: notepad.pdb source: colorcpl.exe, 0000000C.00000002.1179725143.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.1184697656.0000000002B4F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.1175303849.0000000003FEF000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000002.1021176487.0000000000790000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.948950124.0000000000600000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.947157458.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1023131166.0000000000910000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.1022005687.00000000024C0000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.1181633457.0000000002650000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000003.1020378573.0000000002360000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.1183424286.00000000027D0000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbx source: colorcpl.exe, 0000000C.00000002.1179725143.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000C.00000002.1184697656.0000000002B4F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.1175303849.0000000003FEF000.00000004.80000000.00040000.00000000.sdmp

Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 0000000A.00000000.956332979.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Client.exe, 00000005.00000002.948805262.0000000002251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000000.1008252295.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 0000000A.00000000.956332979.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.990578170.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.969936518.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000010.00000000.1142817645.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.980735957.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010954444.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.997010696.0000000008611000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 00000010.00000002.1180212786.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerL
Source: explorer.exe, 00000010.00000000.1141406151.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1169666502.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1179532511.00000000003F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclean
Source: explorer.exe, 0000000A.00000000.981696931.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.981376298.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.998141320.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011250334.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.1140594527.0000000002935000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1141406151.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1169666502.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1179532511.00000000003F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1184308439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1180212786.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.988513472.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1064634143.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.963611972.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1003285308.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 0000000A.00000000.991708612.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1006533953.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1069727746.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.968708467.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.1004334986.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1062333301.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1140645278.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1168478095.000000000037E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1179366947.0000000000270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1020852335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.936817902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1180023035.0000000000430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.936384023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.1000544404.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.946015787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1020404984.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1177745038.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.1011962365.000000000B405000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1020827183.00000000003D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.956769759.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.946320961.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Client.exe PID: 152, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: notepad.exe PID: 280, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 2564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5A3C8D88-A016-4151-9911-DB6F195FA0DD}.tmp, type: DROPPED	Matched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C1330	5_2_001C1330
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C3700	5_2_001C3700
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C4BA8	5_2_001C4BA8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001CA140	5_2_001CA140
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C9C18	5_2_001C9C18
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00368418	5_2_00368418
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0426A6D0	5_2_0426A6D0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04268458	5_2_04268458
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0426B318	5_2_0426B318
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0426B168	5_2_0426B168
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D70048	5_2_04D70048
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D90048	5_2_04D90048
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402D88	9_2_00402D88
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041D5A3	9_2_0041D5A3
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00409E60	9_2_00409E60
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041EE6F	9_2_0041EE6F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00409E1A	9_2_00409E1A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041EF12	9_2_0041EF12
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041DFDB	9_2_0041DFDB
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007C905A	9_2_007C905A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007B3040	9_2_007B3040
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007DD005	9_2_007DD005
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007AE0C6	9_2_007AE0C6
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0082D06D	9_2_0082D06D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007AE2E9	9_2_007AE2E9
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00851238	9_2_00851238
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007FA37B	9_2_007FA37B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007B7353	9_2_007B7353
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_008563BF	9_2_008563BF
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007B2305	9_2_007B2305
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007D63DB	9_2_007D63DB
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007AF3CF	9_2_007AF3CF
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007ED47D	9_2_007ED47D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0083443E	9_2_0083443E
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007C1489	9_2_007C1489
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007E5485	9_2_007E5485
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007F6540	9_2_007F6540
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_008305E3	9_2_008305E3
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007B351F	9_2_007B351F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007CC5F0	9_2_007CC5F0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007FA634	9_2_007FA634
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00852622	9_2_00852622
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007BE6C1	9_2_007BE6C1
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007B4680	9_2_007B4680
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0083579A	9_2_0083579A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007E57C3	9_2_007E57C3
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007BC7BC	9_2_007BC7BC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007D286D	9_2_007D286D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007BC85C	9_2_007BC85C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0082F8C4	9_2_0082F8C4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0084F8EE	9_2_0084F8EE
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0085098E	9_2_0085098E
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007C69FE	9_2_007C69FE
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0083394B	9_2_0083394B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007B29B2	9_2_007B29B2
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00835955	9_2_00835955
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00863A83	9_2_00863A83
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0085CBA4	9_2_0085CBA4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0083DBDA	9_2_0083DBDA
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007D7B00	9_2_007D7B00
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007BCD5B	9_2_007BCD5B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007E0D3B	9_2_007E0D3B
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0084FDDD	9_2_0084FDDD
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007CEE4C	9_2_007CEE4C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007E2E2F	9_2_007E2E2F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007DDF7C	9_2_007DDF7C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0084CFB1	9_2_0084CFB1
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007C0F3F	9_2_007C0F3F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00822FDC	9_2_00822FDC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FA036	9_2_001FA036
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001F1082	9_2_001F1082
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FB232	9_2_001FB232
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FE5CD	9_2_001FE5CD
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001F8912	9_2_001F8912
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001F5B32	9_2_001F5B32
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001F5B30	9_2_001F5B30

Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 007F3F92 appears 132 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 007ADF5C appears 123 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 007F373B appears 245 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 0081F970 appears 84 times
Source: C:\Windows\SysWOW64\notepad.exe	Code function: String function: 007AE2A8 appears 38 times

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C2588 NtQuerySystemInformation,	5_2_001C2588
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C2580 NtQuerySystemInformation,	5_2_001C2580
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0035F180 NtResumeThread,	5_2_0035F180
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0035D2B0 NtProtectVirtualMemory,	5_2_0035D2B0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0035DC90 NtSetContextThread,	5_2_0035DC90
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0035CDD8 NtAllocateVirtualMemory,	5_2_0035CDD8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0035D798 NtWriteVirtualMemory,	5_2_0035D798
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_003600D8 NtClose,	5_2_003600D8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_003600D7 NtClose,	5_2_003600D7
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D7BAB8 NtWriteVirtualMemory,	5_2_04D7BAB8
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D7BF98 NtCreateThreadEx,	5_2_04D7BF98
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A360 NtCreateFile,	9_2_0041A360
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A410 NtReadFile,	9_2_0041A410
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A490 NtClose,	9_2_0041A490
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A540 NtAllocateVirtualMemory,	9_2_0041A540
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A35A NtCreateFile,	9_2_0041A35A
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A31D NtCreateFile,	9_2_0041A31D
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041A4BA NtClose,	9_2_0041A4BA
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A0078 NtResumeThread,LdrInitializeThunk,	9_2_007A0078
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_007A0048
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A00C4 NtCreateFile,LdrInitializeThunk,	9_2_007A00C4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079F900 NtReadFile,LdrInitializeThunk,	9_2_0079F900
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079F9F0 NtClose,LdrInitializeThunk,	9_2_0079F9F0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_0079FAE8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_0079FAD0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_0079FB68
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk,	9_2_0079FBB8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk,	9_2_0079FC60
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_0079FC90
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_0079FDC0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FD8C NtDelayExecution,LdrInitializeThunk,	9_2_0079FD8C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_0079FED0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_0079FEA0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FFB4 NtCreateSection,LdrInitializeThunk,	9_2_0079FFB4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A0060 NtQuerySection,	9_2_007A0060
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A10D0 NtOpenProcessToken,	9_2_007A10D0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A1148 NtOpenThread,	9_2_007A1148
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A010C NtOpenDirectoryObject,	9_2_007A010C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A01D4 NtSetValueKey,	9_2_007A01D4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A07AC NtCreateMutant,	9_2_007A07AC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079F8CC NtWaitForSingleObject,	9_2_0079F8CC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079F938 NtWriteFile,	9_2_0079F938
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A1930 NtSetContextThread,	9_2_007A1930
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FA50 NtEnumerateValueKey,	9_2_0079FA50
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FA20 NtQueryInformationFile,	9_2_0079FA20
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FAB8 NtQueryValueKey,	9_2_0079FAB8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FB50 NtCreateKey,	9_2_0079FB50
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FBE8 NtQueryVirtualMemory,	9_2_0079FBE8
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FC48 NtSetInformationFile,	9_2_0079FC48
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A0C40 NtGetContextThread,	9_2_007A0C40
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FC30 NtOpenProcess,	9_2_0079FC30
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FD5C NtEnumerateKey,	9_2_0079FD5C
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007A1D80 NtSuspendThread,	9_2_007A1D80
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FE24 NtWriteVirtualMemory,	9_2_0079FE24
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FF34 NtQueueApcThread,	9_2_0079FF34
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0079FFFC NtCreateProcessEx,	9_2_0079FFFC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FA036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	9_2_001FA036
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FA042 NtQueryInformationProcess,	9_2_001FA042

Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\SysWOW64\colorcpl.exe	Process Stats: CPU usage > 98%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.n.o.t.e.p.a.d...e.x.e.....!.............h.!.....B.........F.......F.....			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ......................F.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P1V.......4.t...........0...............h.!.....&.................F.....			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{E9404046-8D8A-4DD0-8368-370A12D9C21C}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{E9404046-8D8A-4DD0-8368-370A12D9C21C}	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"	Jump to behavior

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE	Matched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.notepad.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000000.946833187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C913A pushad ; ret	5_2_001C9159
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C9132 push eax; ret	5_2_001C9139
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C9172 pushad ; ret	5_2_001C9159
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001CAAD0 push esp; iretd	5_2_001CAAD1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001CAB50 pushfd ; iretd	5_2_001CAB51
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C8F78 push esp; retn 001Bh	5_2_001C8F79
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_001C8FF2 pushfd ; retn 001Bh	5_2_001C8FF9
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0036BD84 push ds; ret	5_2_0036BD85
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0036CA1C push ss; ret	5_2_0036CA21
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_0038043C push E8000006h; retf	5_2_00380441
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_00383A96 push 036CB505h; ret	5_2_00383AB9
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04263AAF push esi; iretd	5_2_04263AB0
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D72CFB push 800FD82Bh; retf 007Fh	5_2_04D72D0F
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D75512 push 800FD82Bh; retn 0057h	5_2_04D75517
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D74B11 push 800FD82Bh; ret	5_2_04D74B16
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04D95E86 push edi; retf	5_2_04D95E87
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04E5584E push 800FD803h; iretd	5_2_04E5585A
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 5_2_04E55937 push 800FF02Bh; retf	5_2_04E5595E
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041E8D3 push ss; ret	9_2_0041E8DC
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_004168BB push esp; iretd	9_2_004168E4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0040E2F2 push es; retf	9_2_0040E2F4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041D4B5 push eax; ret	9_2_0041D508
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041D56C push eax; ret	9_2_0041D572
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041D502 push eax; ret	9_2_0041D508
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_0041D50B push eax; ret	9_2_0041D572
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_00416608 push edi; retf	9_2_00416623
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_004166AA push edx; ret	9_2_004166AB
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_007ADFA1 push ecx; ret	9_2_007ADFB4
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FE9B5 push esp; retn 0000h	9_2_001FEAE7
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FEB1E push esp; retn 0000h	9_2_001FEB1F
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 9_2_001FEB02 push esp; retn 0000h	9_2_001FEB03

Source: Client.exe.0.dr	Static PE information: section name: sn=><v
Source: Client.exe.0.dr	Static PE information: section name:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\notepad.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000000E9904 second address: 00000000000E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000000E9B7E second address: 00000000000E9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 772	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 772	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2696	Thread sleep time: -420000s >= -30000s	Jump to behavior

Source: explorer.exe, 0000000A.00000000.969139281.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000010.00000002.1177864613.000000000037E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000002.1179532511.00000000003F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0<
Source: explorer.exe, 0000000A.00000000.969139281.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000A.00000000.952882522.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 0000000A.00000000.1006841294.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.991627591.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: explorer.exe, 0000000A.00000000.969139281.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 0000000A.00000000.1001709760.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section unmapped: C:\Windows\SysWOW64\notepad.exe base address: 400000			Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 490000			Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Windows Analysis Report SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.27077

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.27077

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 80000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 77A7975D	Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	Thread register set: target process: 1860			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 1860			Jump to behavior

Source: explorer.exe, 0000000A.00000000.1002159540.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.986364023.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1063014560.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.1002159540.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.984888257.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.952674805.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.1168115195.00000000001BA000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerProgman7
Source: explorer.exe, 0000000A.00000000.1002159540.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.986364023.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1063014560.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation			Jump to behavior

ID:	680530
Product:	CloudBasic
Start time:	18:40:24
Start date:	08.08.2022
Sample:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.27077
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a5b0c571197ee2931e12f11caf138eff
SHA1:	a4355fe45e321b99274f8000c5ac9c08f7146b28
SHA256:	00915bcbff87b2e195e1547df8e1944cadcdc6aa46beb130bd5a960dff01c7e3
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5A3C8D88-A016-4151-9911-DB6F195FA0DD}.tmp	Composite Document File V2 Document, Cannot read section info	4F21F03C3041A4441F3D7CB34F15BB5F	F7F6D3D57D0FE2E723D35534A5887214CE3B9BD8	83D6D72D2C5140FC1C7CB6D6DBADA9B9421CE54E4E96DDBB099D9064956E02EA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A951AE7E-D2D4-47F1-B4B4-2F2B249A12BF}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3A4F74B-8D8B-4273-8507-885596050B2F}.tmp	data	75FCAEF5B6C0ADE6AF66F49874853C6A	834FA72EEF104773D7052895798FED035EF01594	01E456476480AA1FD27ACF8F02AEA30D9B09581579A029154A6CD2A6850C85A0
C:\Users\user\AppData\Local\Temp\Client.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	599BB05227A88A5C83E36E05D67DA0EA	663EBDC243BDF990D2950A0BCAB08CF316BDFF50	2D63CA0053F446B5531AA5703C136586CEC0635994FD5DEE51DF7FE51DF58EB4
C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier	ASCII text, with CRLF line terminators	FBCCF14D504B7B2DBCB5A5BDA75BD93B	D59FC84CDD5217C6CF74785703655F78DA6B582B	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 9 00:41:01 2022, mtime=Tue Aug 9 00:41:01 2022, atime=Tue Aug 9 00:41:11 2022, length=2920194, window=hide	32B89312713DBA78D97CEC329D156889	2EB5385E7FB3E2B30519AC202BB0247ABBCBCD3E	C1424ED0C28323E344068F84B6385C6A88FF87C7F4E640C6CCC8AB07C4BED7DD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	E05B953212FAA9138D101E8B9D79F5A5	89690B0BA586C8B7F030B735BF88CFE1DB5DACD4	6D24EEBBA9E66EB4B5E0090AC160DBD82B63AFB49568F91B15C129C05F764A8A
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	7CFA404FD881AF8DF49EA584FE153C61	32D9BF92626B77999E5E44780BF24130F3D23D66	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf	data	7CFA404FD881AF8DF49EA584FE153C61	32D9BF92626B77999E5E44780BF24130F3D23D66	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7