Windows Analysis Report
202404294766578200.xlam.xlsx

Overview

General Information

Sample name: 202404294766578200.xlam.xlsx
Analysis ID: 1435094
MD5: 9336f772a40e762cc855b7c9b75b1d28
SHA1: 837d90dbe2f9c267e26ad4e170b7bd03d199f335
SHA256: ca377ebfd8e0d57754a3780b6b7360a76efad94c8d5753e172a52802bf109ddc
Tags: AgentTeslaxlamxlsx
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Installs a global keyboard hook
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Searches for Windows Mail specific files
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 202404294766578200.xlam.xlsx Avira: detected
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: http://23.94.54.101/GVV.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 16.2.Bactris.exe.2990000.1.raw.unpack Malware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "yuahdgbceja.sytes.net:2766:1", "Assigned name": "Grace-Host2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "hua.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-E70NOS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for submitted file
Source: 202404294766578200.xlam.xlsx ReversingLabs: Detection: 68%
Source: 202404294766578200.xlam.xlsx Virustotal: Detection: 50% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\YED.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 17_2_00433837
Source: Bactris.exe, 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_64e20cd0-e

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 23.94.54.101 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\YED.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\YED.exe Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004074FD _wcslen,CoGetObject, 17_2_004074FD
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\chrome_BITS_1564_1766989274 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: Bactris.exe, 00000010.00000003.762094067.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, Bactris.exe, 00000010.00000003.761995898.0000000002B10000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0027DBBE
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0024C2A2 FindFirstFileExW, 3_2_0024C2A2
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002868EE FindFirstFileW,FindClose, 3_2_002868EE
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 3_2_0028698F
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0027D076
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0027D3A9
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00289642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00289642
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0028979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 16_2_010EDBBE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010BC2A2 FindFirstFileExW, 16_2_010BC2A2
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 16_2_010F698F
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F68EE FindFirstFileW,FindClose, 16_2_010F68EE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_010ED076
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_010ED3A9
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_010F979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_010F9642
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 16_2_010F9B2B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F5C97 FindFirstFileW,FindNextFileW,FindClose, 16_2_010F5C97
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0044E879 FindFirstFileExA, 17_2_0044E879
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040783C FindFirstFileW,FindNextFileW, 17_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 17_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_10006580 FindFirstFileExA, 17_2_10006580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 17_2_00407C97
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350055E WriteFile, 2_2_0350055E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350045F CreateFileW, 2_2_0350045F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035004F6 WriteFile, 2_2_035004F6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035005E9 WriteFile,WinExec,ExitProcess, 2_2_035005E9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500496 LoadLibraryW, 2_2_03500496
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350069C WinExec,ExitProcess, 2_2_0350069C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035003D0 CreateFileW, 2_2_035003D0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500254 CreateFileW, 2_2_03500254
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035002DF CreateFileW, 2_2_035002DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500542 WriteFile, 2_2_03500542
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500244 CreateFileW, 2_2_03500244
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500249 CreateFileW, 2_2_03500249
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350024B CreateFileW, 2_2_0350024B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035002CB CreateFileW, 2_2_035002CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350044C CreateFileW, 2_2_0350044C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350034C CreateFileW, 2_2_0350034C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035002CE CreateFileW, 2_2_035002CE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035005CF WriteFile, 2_2_035005CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035002F5 CreateFileW, 2_2_035002F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500279 CreateFileW, 2_2_03500279
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035002EB CreateFileW, 2_2_035002EB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035003EC CreateFileW, 2_2_035003EC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350026D CreateFileW, 2_2_0350026D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500391 CreateFileW, 2_2_03500391
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500292 CreateFileW, 2_2_03500292
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500413 CreateFileW, 2_2_03500413
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350031A CreateFileW, 2_2_0350031A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350031F CreateFileW, 2_2_0350031F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500289 CreateFileW, 2_2_03500289
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350058F WriteFile, 2_2_0350058F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350028F CreateFileW, 2_2_0350028F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035003B7 ExitProcess,CreateFileW, 2_2_035003B7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035006BC ExitProcess, 2_2_035006BC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0350033F CreateFileW, 2_2_0350033F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03500224 CreateFileW, 2_2_03500224
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035002A4 CreateFileW, 2_2_035002A4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035005AB WriteFile, 2_2_035005AB

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 23.94.53.100 2766 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe Domain query: yuahdgbceja.sytes.net
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 178.237.33.50 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: yuahdgbceja.sytes.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 23.94.53.100:2766
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 02 May 2024 08:28:48 GMTAccept-Ranges: bytesETag: W/"4ca767c16a9cda1:0"Server: Microsoft-IIS/8.5Date: Thu, 02 May 2024 02:54:52 GMTContent-Length: 1402368Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e5 c1 32 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 b6 0b 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 15 00 00 04 00 00 a5 0f 16 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 b0 fb 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 fb 07 00 00 40 0d 00 00 fc 07 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 40 15 00 00 76 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /GVV.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 3_2_0028CE44
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json Jump to behavior
Source: global traffic HTTP traffic detected: GET /chrome/whats-new/m109?internal=true HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGMmBzLEGIjB5NrDOyf958iCbJpAJxeAyyHGDgUuUJYBV60K9olc20v99BBChXQUVByr6JLh_QvcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=nQDSKKCUY72nbduCHcRHhXACOPv96Kxy9BGRkfztkyu42Rwrd_gHXoam_RmDAYCnj8eZlKgLn5fWew08N8kSyFNPm8WqA8IlPx75gPq5HjHDBfOIlzDJCalLIF09aVWJgIdxbVFWcdPC2s7k68aYWtAFmlXnyKvJy0ZNSikFz3w
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMqBzLEGIjAmi-UIIFqSTjkw-RfWXi2GfkOK6xdeNQDHNk-OB5e4eww8XVW3FAYyUUV3pTR2uxYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=nQDSKKCUY72nbduCHcRHhXACOPv96Kxy9BGRkfztkyu42Rwrd_gHXoam_RmDAYCnj8eZlKgLn5fWew08N8kSyFNPm8WqA8IlPx75gPq5HjHDBfOIlzDJCalLIF09aVWJgIdxbVFWcdPC2s7k68aYWtAFmlXnyKvJy0ZNSikFz3w
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMuBzLEGIjDHkOYETEkfpPO5BNVM4qFB3EzErW1N_BxHwWaZNSSd6fpa03DeWClTlQmn-8-Tj7IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=fgAQ-FMftBn8U6qLB_xWWkkkc9DVEvN_N6o2tEue_K4GUZExVgaPgdzwdYTojqKVxXyKNrqWVPheSLnkhhM1Yn5U2V873JQdGiigIZ_Y-T9zYj0D29_T15mASCX6KaFQVRLJg0wObsmDE1eXTDGt31FHclpLdrGt-svEoASRDdY
Source: global traffic HTTP traffic detected: GET /GVV.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: bhvA8BE.tmp.20.dr String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000014.00000003.778758157.000000000016D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.facebook.com (Facebook)
Source: svchost.exe, 00000014.00000003.778758157.000000000016D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.yahoo.com (Yahoo)
Source: bhvA8BE.tmp.20.dr String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: yuahdgbceja.sytes.net
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCross-Origin-Resource-Policy: cross-originContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffAccept-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionCritical-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionVary: Accept-Encoding, Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionDate: Thu, 02 May 2024 02:56:04 GMTServer: sffeContent-Length: 187622X-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close
Source: EQNEDT32.EXE, 00000002.00000002.535775518.000000000061D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.535775518.00000000005EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://23.94.54.101/GVV.exe
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: svchost.exe, svchost.exe, 00000011.00000002.783667001.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: Bactris.exe, 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 00000016.00000002.769567756.000000000014C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com/T
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://www.msn.com/
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: svchost.exe, 00000014.00000002.778795762.00000000001E3000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: chp8DDF.tmp.20.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: chp8DDF.tmp.20.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://contextual.media.net/
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: chp8DDF.tmp.20.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chp8DDF.tmp.20.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: bhvA8BE.tmp.20.dr String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 17_2_0040A2B8
Installs a global keyboard hook
Source: C:\Windows\SysWOW64\svchost.exe Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 3_2_0028EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_0028ED6A
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 16_2_010FED6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 17_2_004168C1
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 3_2_0028EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 3_2_0027AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_002A9576
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_01119576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 16_2_01119576

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: sheet1.xml, type: SAMPLE Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Binary is likely a compiled AutoIt script file
Source: YED.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: YED.exe, 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_724e584b-d
Source: YED.exe, 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_5ad92b34-6
Source: YED.exe, 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_dc3c8c8e-f
Source: YED.exe, 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_ba9b0a42-7
Source: Bactris.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Bactris.exe, 00000010.00000000.760231345.0000000001142000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_75d036b4-d
Source: Bactris.exe, 00000010.00000000.760231345.0000000001142000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_942574d1-6
Source: YED.exe.2.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c565d1f2-8
Source: YED.exe.2.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_32c3c399-9
Source: Bactris.exe.3.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8317b557-0
Source: Bactris.exe.3.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f929ebf5-f
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\YED.exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\YED.exe Process Stats: CPU usage > 49%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 17_2_004180EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 17_2_004132D2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 17_2_0041BB09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 17_2_0041BB35
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027D5EB: CreateFileW,DeviceIoControl,CloseHandle, 3_2_0027D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00271201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 3_2_00271201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 3_2_0027E8F6
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 16_2_010EE8F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 17_2_004167B4
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029EA3AC 3_3_029EA3AC
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A061D9 3_3_02A061D9
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F0794 3_3_029F0794
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029D85C0 3_3_029D85C0
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F0B06 3_3_029F0B06
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029EAB31 3_3_029EAB31
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F6E4A 3_3_029F6E4A
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F6C1B 3_3_029F6C1B
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F0DB0 3_3_029F0DB0
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029D6D20 3_3_029D6D20
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029E8D7D 3_3_029E8D7D
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A092EE 3_3_02A092EE
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A5B244 3_3_02A5B244
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F1332 3_3_029F1332
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029DB340 3_3_029DB340
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F70A7 3_3_029F70A7
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F1077 3_3_029F1077
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A37698 3_3_02A37698
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A41446 3_3_02A41446
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029D7460 3_3_029D7460
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A05B6B 3_3_02A05B6B
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A0D8FF 3_3_02A0D8FF
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029FBEA0 3_3_029FBEA0
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029DBEF0 3_3_029DBEF0
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_02A63C73 3_3_02A63C73
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0021BF40 3_2_0021BF40
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00218060 3_2_00218060
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00282046 3_2_00282046
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00278298 3_2_00278298
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0024E4FF 3_2_0024E4FF
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0024676B 3_2_0024676B
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002A4873 3_2_002A4873
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0023CAA0 3_2_0023CAA0
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0021CAF0 3_2_0021CAF0
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0022CC39 3_2_0022CC39
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00246DD9 3_2_00246DD9
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0022B119 3_2_0022B119
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002191C0 3_2_002191C0
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00231394 3_2_00231394
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00231706 3_2_00231706
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0023781B 3_2_0023781B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F2046 16_2_010F2046
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_01088060 16_2_01088060
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010E8298 16_2_010E8298
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010BE4FF 16_2_010BE4FF
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010B676B 16_2_010B676B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_01114873 16_2_01114873
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010ACAA0 16_2_010ACAA0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_0108CAF0 16_2_0108CAF0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010B6DD9 16_2_010B6DD9
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_0109CC39 16_2_0109CC39
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_0109B119 16_2_0109B119
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010891C0 16_2_010891C0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A1394 16_2_010A1394
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A1706 16_2_010A1706
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_01087920 16_2_01087920
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_0109997D 16_2_0109997D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A19B0 16_2_010A19B0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A781B 16_2_010A781B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A7A4A 16_2_010A7A4A
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A1C77 16_2_010A1C77
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A7CA7 16_2_010A7CA7
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A1F32 16_2_010A1F32
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_0110BE44 16_2_0110BE44
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010B9EEE 16_2_010B9EEE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_001136A0 16_2_001136A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0043E0CC 17_2_0043E0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041F0FA 17_2_0041F0FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00454159 17_2_00454159
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00438168 17_2_00438168
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004461F0 17_2_004461F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0043E2FB 17_2_0043E2FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0045332B 17_2_0045332B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0042739D 17_2_0042739D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004374E6 17_2_004374E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0043E558 17_2_0043E558
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00438770 17_2_00438770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004378FE 17_2_004378FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00433946 17_2_00433946
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0044D9C9 17_2_0044D9C9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00427A46 17_2_00427A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041DB62 17_2_0041DB62
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00427BAF 17_2_00427BAF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00437D33 17_2_00437D33
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00435E5E 17_2_00435E5E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00426E0E 17_2_00426E0E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0043DE9D 17_2_0043DE9D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00413FCA 17_2_00413FCA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00436FEA 17_2_00436FEA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_10017194 17_2_10017194
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_1000B5C1 17_2_1000B5C1
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 202404294766578200.xlam.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: String function: 0109F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: String function: 010A0A30 appears 46 times
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: String function: 01089CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00434770 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: String function: 00230A30 appears 36 times
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: String function: 029DC3A0 appears 34 times
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: String function: 0022F9F2 appears 40 times
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: String function: 029EFE30 appears 46 times
Yara signature match
Source: sheet1.xml, type: SAMPLE Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: bhvA8BE.tmp.20.dr Binary or memory string: org.slneighbors
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winXLSX@35/20@6/7
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002837B5 GetLastError,FormatMessageW, 3_2_002837B5
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002710BF AdjustTokenPrivileges,CloseHandle, 3_2_002710BF
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 3_2_002716C3
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010E10BF AdjustTokenPrivileges,CloseHandle, 16_2_010E10BF
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 16_2_010E16C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 17_2_00417952
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 3_2_002851CD
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0029A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 3_2_0029A67C
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 3_2_0028648E
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 3_2_002142A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 17_2_0041AA4A
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$202404294766578200.xlam.xlsx Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR9397.tmp Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000011.00000002.783921365.0000000003840000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000015.00000002.780294367.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 00000014.00000002.778860586.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.778751181.000000000016E000.00000004.00000020.00020000.00000000.sdmp, chp8E2E.tmp.20.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));"
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 202404294766578200.xlam.xlsx ReversingLabs: Detection: 68%
Source: 202404294766578200.xlam.xlsx Virustotal: Detection: 50%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\YED.exe C:\Users\user\AppData\Roaming\YED.exe
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1452,i,15568989383610033621,8608539169459799112,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1396,i,13358231411772672971,2555512376125685792,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Roaming\YED.exe Process created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe C:\Users\user\AppData\Roaming\YED.exe
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\YED.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\YED.exe C:\Users\user\AppData\Roaming\YED.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Process created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe C:\Users\user\AppData\Roaming\YED.exe Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1452,i,15568989383610033621,8608539169459799112,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1396,i,13358231411772672971,2555512376125685792,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\YED.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce" Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: credssp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: shcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ucrtbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 202404294766578200.xlam.xlsx Initial sample: OLE zip file path = xl/media/image1.jpg
Source: 202404294766578200.xlam.xlsx Initial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\chrome_BITS_1564_1766989274 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: Bactris.exe, 00000010.00000003.762094067.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, Bactris.exe, 00000010.00000003.761995898.0000000002B10000.00000004.00001000.00020000.00000000.sdmp
Source: 202404294766578200.xlam.xlsx Initial sample: OLE indicators vbamacros = False
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_002142DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029EFE76 push ecx; ret 3_3_029EFE89
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00230A76 push ecx; ret 3_2_00230A89
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A0A76 push ecx; ret 16_2_010A0A89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00457106 push ecx; ret 17_2_00457119
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0045B11A push esp; ret 17_2_0045B141
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0045E54D push esi; ret 17_2_0045E556
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00457A28 push eax; ret 17_2_00457A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00434E56 push ecx; ret 17_2_00434E69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_10002806 push ecx; ret 17_2_10002819
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 17_2_00406EB0
Drops PE files
Source: C:\Users\user\AppData\Roaming\YED.exe File created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\YED.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 17_2_0041AA4A
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_0109F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 16_2_0109F98E
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_01111C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 16_2_01111C41
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 17_2_0041CB50
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040F7A7 Sleep,ExitProcess, 17_2_0040F7A7
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Roaming\YED.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\svchost.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 17_2_0041A748
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\SysWOW64\svchost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\YED.exe API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 808 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3596 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3920 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0027DBBE
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0024C2A2 FindFirstFileExW, 3_2_0024C2A2
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002868EE FindFirstFileW,FindClose, 3_2_002868EE
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 3_2_0028698F
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0027D076
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0027D3A9
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00289642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00289642
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0028979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 16_2_010EDBBE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010BC2A2 FindFirstFileExW, 16_2_010BC2A2
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 16_2_010F698F
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F68EE FindFirstFileW,FindClose, 16_2_010F68EE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_010ED076
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_010ED3A9
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_010F979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_010F9642
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 16_2_010F9B2B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010F5C97 FindFirstFileW,FindNextFileW,FindClose, 16_2_010F5C97
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0044E879 FindFirstFileExA, 17_2_0044E879
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040783C FindFirstFileW,FindNextFileW, 17_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 17_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_10006580 FindFirstFileExA, 17_2_10006580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 17_2_00407C97
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_002142DE
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0028EAA2 BlockInput, 3_2_0028EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00242622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_002142DE
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035006C3 mov edx, dword ptr fs:[00000030h] 2_2_035006C3
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029F40E8 mov eax, dword ptr fs:[00000030h] 3_3_029F40E8
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00234CE8 mov eax, dword ptr fs:[00000030h] 3_2_00234CE8
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A4CE8 mov eax, dword ptr fs:[00000030h] 16_2_010A4CE8
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_00113530 mov eax, dword ptr fs:[00000030h] 16_2_00113530
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_00113590 mov eax, dword ptr fs:[00000030h] 16_2_00113590
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_00111EF0 mov eax, dword ptr fs:[00000030h] 16_2_00111EF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004432B5 mov eax, dword ptr fs:[00000030h] 17_2_004432B5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_10004AB4 mov eax, dword ptr fs:[00000030h] 17_2_10004AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00270B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_00270B62
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002309D5 SetUnhandledExceptionFilter, 3_2_002309D5
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00242622
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0023083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0023083F
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00230C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00230C21
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A09D5 SetUnhandledExceptionFilter, 16_2_010A09D5
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_010B2622
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_010A083F
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_010A0C21
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00434B47 SetUnhandledExceptionFilter, 17_2_00434B47
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_004349F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0043BB22
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00434FDC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_100060E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_10002639
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_10002B1C

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 23.94.53.100 2766 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe Domain query: yuahdgbceja.sytes.net
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 178.237.33.50 80 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 17_2_004180EF
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 17_2_004120F7
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00271201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 3_2_00271201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00252BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 3_2_00252BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0027B226 SendInput,keybd_event, 3_2_0027B226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 3_2_002922DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\YED.exe C:\Users\user\AppData\Roaming\YED.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Process created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe C:\Users\user\AppData\Roaming\YED.exe Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\YED.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00270B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_00270B62
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00271663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 3_2_00271663
Source: YED.exe, 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, YED.exe, 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmp, Bactris.exe, 00000010.00000000.760231345.0000000001142000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YED.exe, Bactris.exe Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000011.00000002.783667001.0000000000914000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: svchost.exe, 00000011.00000002.783667001.0000000000914000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_3_029EFA98 cpuid 3_3_029EFA98
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 17_2_00452036
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 17_2_004520C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 17_2_00452313
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 17_2_00448404
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 17_2_0045243C
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 17_2_00452543
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 17_2_00452610
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 17_2_0040F8D1
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 17_2_004488ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: IsValidCodePage,GetLocaleInfoW, 17_2_00451CD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 17_2_00451F50
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 17_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0024333F GetSystemTimeAsFileTime, 3_2_0024333F
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_0026D27A GetUserNameW, 3_2_0026D27A
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_010BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 16_2_010BB952
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_002142DE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 17_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 17_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe Code function: \key3.db 17_2_0040BB30
Searches for Windows Mail specific files
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new * Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3752, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: Bactris.exe Binary or memory string: WIN_81
Source: Bactris.exe Binary or memory string: WIN_XP
Source: Bactris.exe.3.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Bactris.exe Binary or memory string: WIN_XPe
Source: Bactris.exe Binary or memory string: WIN_VISTA
Source: Bactris.exe Binary or memory string: WIN_7
Source: Bactris.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\svchost.exe Code function: cmd.exe 17_2_0040569A
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00291204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 3_2_00291204
Source: C:\Users\user\AppData\Roaming\YED.exe Code function: 3_2_00291806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_00291806
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_01101204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 16_2_01101204
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe Code function: 16_2_01101806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 16_2_01101806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1435094 Sample: 202404294766578200.xlam.xlsx Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 18 other signatures 2->73 10 EXCEL.EXE 6 11 2->10         started        12 chrome.exe 4 2->12         started        15 chrome.exe 2->15         started        process3 dnsIp4 17 EQNEDT32.EXE 1 10->17         started        63 192.168.2.22, 137, 138, 2766 unknown unknown 12->63 65 239.255.255.250 unknown Reserved 12->65 22 chrome.exe 12->22         started        24 chrome.exe 15->24         started        process5 dnsIp6 51 23.94.54.101, 49161, 80 AS-COLOCROSSINGUS United States 17->51 45 C:\Users\user\AppData\Roaming\YED.exe, PE32 17->45 dropped 75 Office equation editor establishes network connection 17->75 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 17->77 26 YED.exe 6 17->26         started        53 www.google.com 172.217.1.4, 443, 49162, 49163 GOOGLEUS United States 22->53 55 127.0.0.1 unknown unknown 22->55 file7 signatures8 process9 file10 47 C:\Users\user\AppData\Local\...\Bactris.exe, PE32 26->47 dropped 95 Binary is likely a compiled AutoIt script file 26->95 97 Machine Learning detection for dropped file 26->97 99 Found API chain indicative of sandbox detection 26->99 30 Bactris.exe 3 26->30         started        signatures11 process12 file13 49 C:\Users\user\AppData\Roaming\...\Bactris.vbs, data 30->49 dropped 101 Binary is likely a compiled AutoIt script file 30->101 103 Machine Learning detection for dropped file 30->103 105 Drops VBS files to the startup folder 30->105 107 3 other signatures 30->107 34 svchost.exe 3 11 30->34         started        signatures14 process15 dnsIp16 57 yuahdgbceja.sytes.net 34->57 59 geoplugin.net 34->59 61 2 other IPs or domains 34->61 79 System process connects to network (likely due to code injection or exploit) 34->79 81 Contains functionality to bypass UAC (CMSTPLUA) 34->81 83 Detected Remcos RAT 34->83 85 7 other signatures 34->85 38 svchost.exe 1 34->38         started        41 svchost.exe 1 34->41         started        43 svchost.exe 13 34->43         started        signatures17 process18 signatures19 87 Tries to steal Instant Messenger accounts or passwords 38->87 89 Tries to steal Mail credentials (via file / registry access) 38->89 91 Searches for Windows Mail specific files 38->91 93 Tries to harvest and steal browser information (history, passwords, etc) 41->93
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
23.94.54.101
 unknown United States
36352 AS-COLOCROSSINGUS true
23.94.53.100
 yuahdgbceja.sytes.net United States
36352 AS-COLOCROSSINGUS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL true
172.217.1.4
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.22
127.0.0.1

Contacted Domains

Name IP Active
yuahdgbceja.sytes.net 23.94.53.100 true
geoplugin.net 178.237.33.50 true
www.google.com 172.217.1.4 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMuBzLEGIjDHkOYETEkfpPO5BNVM4qFB3EzErW1N_BxHwWaZNSSd6fpa03DeWClTlQmn-8-Tj7IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
    		high
    http://23.94.54.101/GVV.exe true
    • Avira URL Cloud: malware
    		 unknown
    https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMqBzLEGIjAmi-UIIFqSTjkw-RfWXi2GfkOK6xdeNQDHNk-OB5e4eww8XVW3FAYyUUV3pTR2uxYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
      		high
      https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
        		high
        https://www.google.com/chrome/whats-new/m109?internal=true false
          		high
          https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGMmBzLEGIjB5NrDOyf958iCbJpAJxeAyyHGDgUuUJYBV60K9olc20v99BBChXQUVByr6JLh_QvcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
            		high
            https://www.google.com/async/newtab_promos false
              		high
              http://geoplugin.net/json.gp true
              • URL Reputation: phishing
              		 unknown
              https://www.google.com/async/ddljson?async=ntp:2 false
                		high
                https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                  		high
                  yuahdgbceja.sytes.net true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		 unknown