Windows Analysis Report
ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Overview

General Information

Sample name:	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc
Analysis ID:	1430108
MD5:	d90ae35b86323a7495fbd0f89b74ad08
SHA1:	a913d6148cbfb3a5be68a34052a4d1ab7d9de989
SHA256:	88ad296056a6be66969f1e5ce6694398944804a39d8465b42e0af73c5af12cb0
Tags:	doc
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Snake Keylogger

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: SCR File Write Event

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Screensaver Binary File Creation

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5611396317:AAGsgxx4hwlHZa8kVodTZpCQipWRFwFvBO0/sendMessage?chat_id=5237953097"}

Multi AV Scanner detection for domain / URL

Source: dukeenergyltd.top	Virustotal: Detection: 25%			Perma Link
Source: https://dukeenergyltd.top/	Virustotal: Detection: 24%			Perma Link

Multi AV Scanner detection for submitted file

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.67.134.136 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49161 version: TLS 1.2

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: mpoom39002.scr, 00000005.00000002.346550493.0000000002201000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000005.00000002.346411326.0000000000330000.00000004.08000000.00040000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6437h	6_2_001F608D
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FF3E1h	6_2_001FF128
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FFC91h	6_2_001FF9D8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5481h	6_2_001F51C1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6CF7h	6_2_001F6A38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F75B7h	6_2_001F72F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F3B30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FF839h	6_2_001FF580
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6897h	6_2_001F65D9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5630
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F7157h	6_2_001F6E99
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5972
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F4162
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F4342
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5620
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F50FCh	6_2_001F47FD
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F84D1h	6_2_003F8228
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4CC1h	6_2_003F4A18
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F32B1h	6_2_003F3008
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9AB1h	6_2_003F9808
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3709h	6_2_003F3460
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9F09h	6_2_003F9C60
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F1CF9h	6_2_003F1A50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F02E9h	6_2_003F0040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB4E9h	6_2_003FB240
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3B61h	6_2_003F38B8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2151h	6_2_003F1EA8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F8951h	6_2_003F86A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0741h	6_2_003F0498
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB941h	6_2_003FB698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0B99h	6_2_003F08F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FBD99h	6_2_003FBAF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FA38Ah	6_2_003FA0E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FA7E1h	6_2_003FA538
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3FB9h	6_2_003F3D10
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F25A9h	6_2_003F2300
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F8DA9h	6_2_003F8B00
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4411h	6_2_003F4168
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2A01h	6_2_003F2758
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9201h	6_2_003F8F58
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0FF1h	6_2_003F0D48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FC1F1h	6_2_003FBF48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2E59h	6_2_003F2BB0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9659h	6_2_003F93B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F1449h	6_2_003F11A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FAC39h	6_2_003FA990
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F18A1h	6_2_003F15F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB091h	6_2_003FADE8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4869h	6_2_003F45C0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F6458
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F644A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F676E

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: dukeenergyltd.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.122.6.168 193.122.6.168

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mpoom.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{46F363FE-A7DD-406F-B1C8-7F7D7988C666}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /mpoom.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: dukeenergyltd.top

Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610871385.0000000002609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610780471.00000000007ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.user
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000035D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.344727148.0000000000373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scr
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrj
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrjjC:
Source: EQNEDT32.EXE, 00000002.00000002.344727148.0000000000373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrsoC:
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.3253190.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.5f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.221190c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033B860	2_2_0033B860
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033C0C6	2_2_0033C0C6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003414C8	2_2_003414C8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034150D	2_2_0034150D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033C1E4	2_2_0033C1E4
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 5_2_001E3D30	5_2_001E3D30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F608D	6_2_001F608D
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF128	6_2_001FF128
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF9D8	6_2_001FF9D8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F51C1	6_2_001F51C1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F79F9	6_2_001F79F9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6A38	6_2_001F6A38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F5AB8	6_2_001F5AB8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F72F8	6_2_001F72F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F3B30	6_2_001F3B30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF580	6_2_001FF580
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F65D9	6_2_001F65D9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FBDD9	6_2_001FBDD9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F4610	6_2_001F4610
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6E99	6_2_001F6E99
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6101	6_2_001F6101
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FB578	6_2_001FB578
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FB568	6_2_001FB568
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FDC38	6_2_003FDC38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8228	6_2_003F8228
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4A18	6_2_003F4A18
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3008	6_2_003F3008
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9808	6_2_003F9808
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4E70	6_2_003F4E70
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3460	6_2_003F3460
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9C60	6_2_003F9C60
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1A50	6_2_003F1A50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0040	6_2_003F0040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB240	6_2_003FB240
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F38B8	6_2_003F38B8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1EA8	6_2_003F1EA8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F86A8	6_2_003F86A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0498	6_2_003F0498
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB698	6_2_003FB698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FE280	6_2_003FE280
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F08F0	6_2_003F08F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FBAF0	6_2_003FBAF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F5CE0	6_2_003F5CE0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA0E0	6_2_003FA0E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FE8D0	6_2_003FE8D0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F74C8	6_2_003F74C8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA538	6_2_003FA538
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FEF20	6_2_003FEF20
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3D10	6_2_003F3D10
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2300	6_2_003F2300
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8B00	6_2_003F8B00
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FF570	6_2_003FF570
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4168	6_2_003F4168
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2758	6_2_003F2758
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8F58	6_2_003F8F58
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FC950	6_2_003FC950
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0D48	6_2_003F0D48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FBF48	6_2_003FBF48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2BB0	6_2_003F2BB0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F93B0	6_2_003F93B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F11A0	6_2_003F11A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FCFA0	6_2_003FCFA0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA990	6_2_003FA990
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F15F8	6_2_003F15F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FD5F0	6_2_003FD5F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FADE8	6_2_003FADE8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F67D0	6_2_003F67D0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F45C0	6_2_003F45C0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB230	6_2_003FB230
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FDC28	6_2_003FDC28
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8219	6_2_003F8219
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4A09	6_2_003F4A09
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F6458	6_2_003F6458
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3451	6_2_003F3451
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9C50	6_2_003F9C50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F644A	6_2_003F644A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1A40	6_2_003F1A40
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F38A8	6_2_003F38A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1E98	6_2_003F1E98
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8698	6_2_003F8698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F048A	6_2_003F048A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB688	6_2_003FB688
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F22F0	6_2_003F22F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8AF0	6_2_003F8AF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F08E0	6_2_003F08E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F5CD2	6_2_003F5CD2
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA0D1	6_2_003FA0D1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0D38	6_2_003F0D38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA52C	6_2_003FA52C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FEF11	6_2_003FEF11
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3D0C	6_2_003F3D0C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4158	6_2_003F4158
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8F4C	6_2_003F8F4C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2749	6_2_003F2749
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FC940	6_2_003FC940
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F45B0	6_2_003F45B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2BA0	6_2_003F2BA0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F93A0	6_2_003F93A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1192	6_2_003F1192
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA980	6_2_003FA980
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2FF9	6_2_003F2FF9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F97F9	6_2_003F97F9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F15EA	6_2_003F15EA
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FADD9	6_2_003FADD9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_00590040	6_2_00590040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_00590688	6_2_00590688

Yara signature match

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.3253190.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.5f0000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.221190c.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: mpoom[1].scr.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mpoom39002.scr.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Base64 encoded string: 'XXfgNbJ4cUyB+UHiB0C7jag8aawkdKKTNcpy851P8fBMaG9eLKQDE8LVCoqZKCl7'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Base64 encoded string: 'XXfgNbJ4cUyB+UHiB0C7jag8aawkdKKTNcpy851P8fBMaG9eLKQDE8LVCoqZKCl7'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@7/10@3/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$THACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary contains a suspicious time stamp

Source: mpoom[1].scr.2.dr

Static PE information: 0x9F140DDE [Tue Jul 28 22:46:54 2054 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E33 push esi; ret	2_2_00346E37
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034683F push esi; ret	2_2_00346843
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346839 push esi; ret	2_2_0034683B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A24 push ebp; ret	2_2_00346A27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034902C push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E2B push esi; ret	2_2_00346E2F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00333E19 push cs; iretd	2_2_00333E1C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E0C push esi; ret	2_2_00346E27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346471 push esi; ret	2_2_00346473
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346478 push esi; ret	2_2_0034647B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A63 push ebp; ret	2_2_00346A67
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A6B push ebp; ret	2_2_00346A6F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034445D push ebp; ret	2_2_0034445F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A40 push ebp; ret	2_2_00346A5F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00349041 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464B7 push esi; ret	2_2_003464BB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464BF push esi; ret	2_2_003464C3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464AA push esi; ret	2_2_003464B3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00348895 push ebp; ret	2_2_00348897
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346882 push esi; ret	2_2_00346883
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034888D push ebp; ret	2_2_0034888F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346888 push esi; ret	2_2_0034688B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003490D4 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462D6 push ebx; ret	2_2_003462D7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462DE push ebx; ret	2_2_003462DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462CE push ebx; ret	2_2_003462CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033A32E push eax; retn 0033h	2_2_0033A349
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00344D10 push esp; ret	2_2_00345057
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00338F59 push eax; retf	2_2_00338F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00348FB1 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003301F4 push eax; retf	2_2_003301F5

Source: mpoom[1].scr.2.dr	Static PE information: section name: .text entropy: 7.638064581182766
Source: mpoom39002.scr.2.dr	Static PE information: section name: .text entropy: 7.638064581182766

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2C0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr TID: 3236	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr TID: 3312	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3468	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Code function: 6_2_001F608D LdrInitializeThunk,

6_2_001F608D

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Memory written: C:\Users\user\AppData\Roaming\mpoom39002.scr base: 80000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Queries volume information: C:\Users\user\AppData\Roaming\mpoom39002.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Queries volume information: C:\Users\user\AppData\Roaming\mpoom39002.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.134.136	dukeenergyltd.top	United States		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
dukeenergyltd.top	172.67.134.136	true
checkip.dyndns.com	193.122.6.168	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://dukeenergyltd.top/mpoom.scr	true		unknown

AV Detection

Found malware configuration

Source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for domain / URL

Source: dukeenergyltd.top	Virustotal: Detection: 25%			Perma Link
Source: https://dukeenergyltd.top/	Virustotal: Detection: 24%			Perma Link

Multi AV Scanner detection for submitted file

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.67.134.136 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49161 version: TLS 1.2

Source:

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6437h	6_2_001F608D
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FF3E1h	6_2_001FF128
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FFC91h	6_2_001FF9D8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5481h	6_2_001F51C1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6CF7h	6_2_001F6A38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F75B7h	6_2_001F72F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F3B30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FF839h	6_2_001FF580
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6897h	6_2_001F65D9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5630
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F7157h	6_2_001F6E99
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5972
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F4162
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F4342
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5620
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F50FCh	6_2_001F47FD
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F84D1h	6_2_003F8228
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4CC1h	6_2_003F4A18
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F32B1h	6_2_003F3008
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9AB1h	6_2_003F9808
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3709h	6_2_003F3460
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9F09h	6_2_003F9C60
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F1CF9h	6_2_003F1A50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F02E9h	6_2_003F0040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB4E9h	6_2_003FB240
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3B61h	6_2_003F38B8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2151h	6_2_003F1EA8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F8951h	6_2_003F86A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0741h	6_2_003F0498
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB941h	6_2_003FB698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0B99h	6_2_003F08F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FBD99h	6_2_003FBAF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FA38Ah	6_2_003FA0E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FA7E1h	6_2_003FA538
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3FB9h	6_2_003F3D10
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F25A9h	6_2_003F2300
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F8DA9h	6_2_003F8B00
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4411h	6_2_003F4168
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2A01h	6_2_003F2758
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9201h	6_2_003F8F58
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0FF1h	6_2_003F0D48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FC1F1h	6_2_003FBF48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2E59h	6_2_003F2BB0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9659h	6_2_003F93B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F1449h	6_2_003F11A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FAC39h	6_2_003FA990
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F18A1h	6_2_003F15F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB091h	6_2_003FADE8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4869h	6_2_003F45C0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F6458
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F644A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F676E

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: dukeenergyltd.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.122.6.168 193.122.6.168

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mpoom.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{46F363FE-A7DD-406F-B1C8-7F7D7988C666}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /mpoom.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: dukeenergyltd.top

Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610871385.0000000002609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610780471.00000000007ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.user
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000035D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.344727148.0000000000373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scr
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrj
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrjjC:
Source: EQNEDT32.EXE, 00000002.00000002.344727148.0000000000373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrsoC:
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.3253190.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.5f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.221190c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033B860	2_2_0033B860
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033C0C6	2_2_0033C0C6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003414C8	2_2_003414C8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034150D	2_2_0034150D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033C1E4	2_2_0033C1E4
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 5_2_001E3D30	5_2_001E3D30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F608D	6_2_001F608D
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF128	6_2_001FF128
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF9D8	6_2_001FF9D8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F51C1	6_2_001F51C1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F79F9	6_2_001F79F9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6A38	6_2_001F6A38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F5AB8	6_2_001F5AB8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F72F8	6_2_001F72F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F3B30	6_2_001F3B30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF580	6_2_001FF580
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F65D9	6_2_001F65D9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FBDD9	6_2_001FBDD9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F4610	6_2_001F4610
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6E99	6_2_001F6E99
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6101	6_2_001F6101
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FB578	6_2_001FB578
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FB568	6_2_001FB568
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FDC38	6_2_003FDC38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8228	6_2_003F8228
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4A18	6_2_003F4A18
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3008	6_2_003F3008
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9808	6_2_003F9808
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4E70	6_2_003F4E70
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3460	6_2_003F3460
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9C60	6_2_003F9C60
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1A50	6_2_003F1A50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0040	6_2_003F0040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB240	6_2_003FB240
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F38B8	6_2_003F38B8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1EA8	6_2_003F1EA8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F86A8	6_2_003F86A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0498	6_2_003F0498
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB698	6_2_003FB698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FE280	6_2_003FE280
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F08F0	6_2_003F08F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FBAF0	6_2_003FBAF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F5CE0	6_2_003F5CE0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA0E0	6_2_003FA0E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FE8D0	6_2_003FE8D0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F74C8	6_2_003F74C8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA538	6_2_003FA538
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FEF20	6_2_003FEF20
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3D10	6_2_003F3D10
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2300	6_2_003F2300
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8B00	6_2_003F8B00
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FF570	6_2_003FF570
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4168	6_2_003F4168
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2758	6_2_003F2758
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8F58	6_2_003F8F58
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FC950	6_2_003FC950
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0D48	6_2_003F0D48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FBF48	6_2_003FBF48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2BB0	6_2_003F2BB0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F93B0	6_2_003F93B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F11A0	6_2_003F11A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FCFA0	6_2_003FCFA0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA990	6_2_003FA990
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F15F8	6_2_003F15F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FD5F0	6_2_003FD5F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FADE8	6_2_003FADE8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F67D0	6_2_003F67D0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F45C0	6_2_003F45C0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB230	6_2_003FB230
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FDC28	6_2_003FDC28
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8219	6_2_003F8219
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4A09	6_2_003F4A09
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F6458	6_2_003F6458
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3451	6_2_003F3451
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9C50	6_2_003F9C50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F644A	6_2_003F644A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1A40	6_2_003F1A40
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F38A8	6_2_003F38A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1E98	6_2_003F1E98
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8698	6_2_003F8698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F048A	6_2_003F048A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB688	6_2_003FB688
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F22F0	6_2_003F22F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8AF0	6_2_003F8AF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F08E0	6_2_003F08E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F5CD2	6_2_003F5CD2
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA0D1	6_2_003FA0D1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0D38	6_2_003F0D38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA52C	6_2_003FA52C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FEF11	6_2_003FEF11
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3D0C	6_2_003F3D0C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4158	6_2_003F4158
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8F4C	6_2_003F8F4C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2749	6_2_003F2749
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FC940	6_2_003FC940
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F45B0	6_2_003F45B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2BA0	6_2_003F2BA0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F93A0	6_2_003F93A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1192	6_2_003F1192
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA980	6_2_003FA980
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2FF9	6_2_003F2FF9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F97F9	6_2_003F97F9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F15EA	6_2_003F15EA
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FADD9	6_2_003FADD9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_00590040	6_2_00590040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_00590688	6_2_00590688

Yara signature match

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.3253190.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.5f0000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.221190c.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: mpoom[1].scr.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mpoom39002.scr.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Base64 encoded string: 'XXfgNbJ4cUyB+UHiB0C7jag8aawkdKKTNcpy851P8fBMaG9eLKQDE8LVCoqZKCl7'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Base64 encoded string: 'XXfgNbJ4cUyB+UHiB0C7jag8aawkdKKTNcpy851P8fBMaG9eLKQDE8LVCoqZKCl7'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@7/10@3/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$THACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary contains a suspicious time stamp

Source: mpoom[1].scr.2.dr

Static PE information: 0x9F140DDE [Tue Jul 28 22:46:54 2054 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E33 push esi; ret	2_2_00346E37
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034683F push esi; ret	2_2_00346843
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346839 push esi; ret	2_2_0034683B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A24 push ebp; ret	2_2_00346A27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034902C push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E2B push esi; ret	2_2_00346E2F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00333E19 push cs; iretd	2_2_00333E1C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E0C push esi; ret	2_2_00346E27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346471 push esi; ret	2_2_00346473
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346478 push esi; ret	2_2_0034647B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A63 push ebp; ret	2_2_00346A67
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A6B push ebp; ret	2_2_00346A6F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034445D push ebp; ret	2_2_0034445F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A40 push ebp; ret	2_2_00346A5F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00349041 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464B7 push esi; ret	2_2_003464BB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464BF push esi; ret	2_2_003464C3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464AA push esi; ret	2_2_003464B3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00348895 push ebp; ret	2_2_00348897
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346882 push esi; ret	2_2_00346883
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034888D push ebp; ret	2_2_0034888F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346888 push esi; ret	2_2_0034688B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003490D4 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462D6 push ebx; ret	2_2_003462D7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462DE push ebx; ret	2_2_003462DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462CE push ebx; ret	2_2_003462CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033A32E push eax; retn 0033h	2_2_0033A349
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00344D10 push esp; ret	2_2_00345057
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00338F59 push eax; retf	2_2_00338F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00348FB1 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003301F4 push eax; retf	2_2_003301F5

Source: mpoom[1].scr.2.dr	Static PE information: section name: .text entropy: 7.638064581182766
Source: mpoom39002.scr.2.dr	Static PE information: section name: .text entropy: 7.638064581182766

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2C0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr TID: 3236	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr TID: 3312	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3468	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Code function: 6_2_001F608D LdrInitializeThunk,

6_2_001F608D

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Memory written: C:\Users\user\AppData\Roaming\mpoom39002.scr base: 80000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Queries volume information: C:\Users\user\AppData\Roaming\mpoom39002.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Queries volume information: C:\Users\user\AppData\Roaming\mpoom39002.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

ID:	1430108
Product:	CloudBasic
Start time:	07:49:08
Start date:	23.04.2024
Sample:	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	d90ae35b86323a7495fbd0f89b74ad08
SHA1:	a913d6148cbfb3a5be68a34052a4d1ab7d9de989
SHA256:	88ad296056a6be66969f1e5ce6694398944804a39d8465b42e0af73c5af12cb0
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	37383DB5D0AAF3A258780342654AE739	67C7CCFF56B2CE1C9ED11B18507557077CDC07D9	69F201E15280F32573FFDAFDE0CF139DEADCB9FA7D56BFD733B67F795560FEA4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2F038898-13C8-4096-9A4F-B491A2488798}.tmp	data	CE338FE6899778AACFC28414F2D9498B	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{46F363FE-A7DD-406F-B1C8-7F7D7988C666}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B7378A9E-77CE-4569-96A5-44AF778C0CBC}.tmp	data	BAA24A774E0BADCB35F9BF233587A06E	ABBF95BC27A25FA319E71C59DF5CCB013F0D375C	46E2D4310F7C18BA282FAA3F626D22BED15FD2DBFA185882C3BD86D8EC2EB101
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C64928E2-7CB9-43A4-ADFC-459F6DAC0FA3}.tmp	data	B26F1521ACF9ABE833D567E6534A139A	1AE73A78FF4EF7E4F144D0293E5192949D41114C	4C5B20D1155954E5D26B7A76DE6B35A4C7BA6148AADDDC5C671555D0FDDF3E52
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:03 2023, mtime=Fri Aug 11 15:42:03 2023, atime=Tue Apr 23 04:49:52 2024, length=212028, window=hide	8C3014AB4FA907789AB58EB780E73990	B8982001AA3B3662A507E771432F323F923E4120	0D144BD4F269457067F2461BFD5294B255F0C2DEC213AFF6AB084A7FC16226AC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	F4365DCB33163821E292273391E955E2	56857D8E6E172C48FA139262FEA7ADD7CEC7A7AE	6B79EDF535382412A5D8D8E908A2F7B934AF15F2AC24CB55339FA8D17429C600
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	89AFCB26CA4D4A770472A95DF4A52BA8	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
C:\Users\user\AppData\Roaming\mpoom39002.scr	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	37383DB5D0AAF3A258780342654AE739	67C7CCFF56B2CE1C9ED11B18507557077CDC07D9	69F201E15280F32573FFDAFDE0CF139DEADCB9FA7D56BFD733B67F795560FEA4
C:\Users\user\Desktop\~$THACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	data	89AFCB26CA4D4A770472A95DF4A52BA8	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17

Windows Analysis Report
ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Malware Threat Intel
Provided by