String found in binary or memory: / ww.faceboo k.com/Macr oRecorderS oftware/ e quals om (Facebo ok)
comAccept: text/html ,applicati on/xhtml+x ml,applica tion/xml q =0.9,*/* q =0.8User-A gent: Mozi lla/3.0 (c ompatible Indy Libr ary)įound strings which match to known social media urls php?a=0 H TTP/1.1Hos t: cadastr os.brazils outh.cloud app.azure. HTTP traffic detected: GET /lante rna/timdim. String found in binary or memory: w.facebook. Source: C:\Users\P ublic\Musi c\Arquivos Compartil hados\Host 14_user.ex e Source: C:\Windows \SysWOW64\ msiexec.ex e exe, Initi ated: true, ProcessI d: 2908, P rotocol: t cp, Source Ip: 192.16 8.2.6, Sou rceIsIpv6: false, So urcePort: 49722 185, Dest inationIsI pv6: false, Destinat ionPort: 8 0, EventID : 3, Image : C:\Users \Public\Mu sic\Arquiv os Compart ilhados\Ho st14_user.
exe', Pr ocessId: 2 908Īuthor: Florian Roth, Markus Neis, Sander Wiebing: Data: Deta ils: C:\Us ers\Public \Music\Arq uivos Comp artilhados \Host14_us er.exe, Ev entID: 13, Image: C: \Users\Pub lic\Music\ Arquivos C ompartilha dos\Host14 _user.exe, ProcessId : 2908, Ta rgetObject : HKEY_CUR RENT_USER\ Software\M icrosoft\W indows\Cur rentVersio n\Run\EfAq WWpvKsĪuthor: Florian Roth: Data: Dest inationIp: 104.41.46. exe, Orig inalFileNa me: C:\Use rs\Public\ Music\Arqu ivos Compa rtilhados\ Host14_use r.exe, Par entCommand Line: C:\W indows\sys wow64\MsiE xec.exe -E mbedding B 9D33C8CF3F E30901803F 2CA04FC8DA 4, ParentI mage: C:\W indows\Sys WOW64\msie xec.exe, P arentProce ssId: 4896, ProcessC ommandLine : 'C:\User s\Public\M usic\Arqui vos Compar tilhados\H ost14_user.
Queries the volume information (name, serial number etc) of a deviceĪuthor: Florian Roth: Data: Comm and: 'C:\U sers\Publi c\Music\Ar quivos Com partilhado s\Host14_u ser.exe', CommandLi ne: 'C:\Us ers\Public \Music\Arq uivos Comp artilhados \Host14_us er.exe', CommandLin e|base64of fset|conta ins:, Ima ge: C:\Use rs\Public\ Music\Arqu ivos Compa rtilhados\ Host14_use r.exe, New ProcessNam e: C:\User s\Public\M usic\Arqui vos Compar tilhados\H ost14_user. Potential browser exploit detected (process start blacklist hit) PE file contains sections with non-standard names PE file contains more sections than normal May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Suspicious Program Location with Network ConnectionsĪllocates memory with a write watch (potentially for evading sandboxes)Ĭhecks for available system drives (often done to infect USB drives)Ĭreates a DirectInput object (often for capturing keystrokes)Ĭreates a process in suspended mode (likely to inject code)ĭrops files with a non-matching file extension (content does not match file extension)įound dropped PE file which has not been started or loaded Sigma detected: Suspicious Program Location Process Starts Sigma detected: New RUN Key Pointing to Suspicious Folder Sigma detected: Execution in Non-Executable Folder Sigma detected: Executables Started in Suspicious Folder