Windows Analysis Report
Bank Slip 2.doc

Overview

General Information

Sample name:	Bank Slip 2.doc
Analysis ID:	1465556
MD5:	ff06a87dd0550386be1f780d560f1877
SHA1:	69e95738ec635520a508f7424a759261e5032cb0
SHA256:	511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18
Tags:	doc
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Equation Editor Network Connection

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://ampol.top/FcdBUj68lnCbMtB.exe	Avira URL Cloud: Label: malware
Source: https://ampol.top/FcdBUj68lnCbMtB.exej	Avira URL Cloud: Label: malware
Source: https://ampol.top/	Avira URL Cloud: Label: malware
Source: https://ampol.top/FcdBUj68lnCbMtB.exettC:	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reservation@artefes.com", "Password": "ArtEfes4765*+", "Host": "mail.artefes.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Bank Slip 2.doc

ReversingLabs: Detection: 39%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.53.203 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.53.203:443 -> 192.168.2.22:49163 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 001C289Bh	5_2_001C230D
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_003C5038
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C7B81h	7_2_003C78C1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C5D07h	7_2_003C5B18
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C6691h	7_2_003C5B18
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C8143h	7_2_003C7D30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C6A01h	7_2_003C6740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C72C1h	7_2_003C7000
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C8143h	7_2_003C8072
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C6E61h	7_2_003C6BA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C7721h	7_2_003C7460
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005746F1h	7_2_00574448
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057ACF1h	7_2_0057AA48
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00579711h	7_2_00579468
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00575CA9h	7_2_00575A00
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00572CE1h	7_2_00572A38
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005712D1h	7_2_00571028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057C2D1h	7_2_0057C028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00571B81h	7_2_005718D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057CC15h	7_2_0057C8D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00574FA1h	7_2_00574CF8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00573591h	7_2_005732E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00579B91h	7_2_005798E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00573139h	7_2_00572E90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_00577698
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00571729h	7_2_00571480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057C729h	7_2_0057C480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00574B49h	7_2_005748A0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057B149h	7_2_0057AEA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005753F9h	7_2_00575150
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005739E9h	7_2_00573740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00579FE9h	7_2_00579D40
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00570A21h	7_2_00570778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057BA21h	7_2_0057B778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00571FD9h	7_2_00571D30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005705C9h	7_2_00570320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057B5CAh	7_2_0057B320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00570E79h	7_2_00570BD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057BE79h	7_2_0057BBD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00574299h	7_2_00573FF0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057A899h	7_2_0057A5F0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00572889h	7_2_005725E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00573E41h	7_2_00573B98
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057A441h	7_2_0057A198
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00572431h	7_2_00572188
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_005779AE
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00575851h	7_2_005755A8

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: ampol.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /FcdBUj68lnCbMtB.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ampol.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57BE0F5E-0BF5-4CE6-96F3-B3AC962F851D}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /FcdBUj68lnCbMtB.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ampol.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ampol.top
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: obie8920193.exe, 00000007.00000002.864677424.00000000022C5000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023A0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: obie8920193.exe, 00000007.00000002.865491806.0000000005884000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: obie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.865491806.0000000005870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.865491806.0000000005870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: obie8920193.exe, 00000005.00000002.366421408.0000000002571000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
Source: obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exe
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exej
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exettC:
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: obie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EQNEDT32.EXE, 00000002.00000002.354913231.0000000004379000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443

Source: unknown

HTTPS traffic detected: 104.21.53.203:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Bank Slip 2.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obie8920193.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_001C1C58	5_2_001C1C58
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_002605E0	5_2_002605E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026F0C8	5_2_0026F0C8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_002612C9	5_2_002612C9
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026E370	5_2_0026E370
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026E7A8	5_2_0026E7A8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026E798	5_2_0026E798
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026FA60	5_2_0026FA60
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026FA70	5_2_0026FA70
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026EC90	5_2_0026EC90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C5038	7_2_003C5038
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3055	7_2_003C3055
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3891	7_2_003C3891
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C78C1	7_2_003C78C1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C4130	7_2_003C4130
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C2910	7_2_003C2910
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CD1D8	7_2_003CD1D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C8A19	7_2_003C8A19
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C5B18	7_2_003C5B18
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3B72	7_2_003C3B72
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C2BF1	7_2_003C2BF1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C844A	7_2_003C844A
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C35B0	7_2_003C35B0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3E50	7_2_003C3E50
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CC750	7_2_003CC750
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C6740	7_2_003C6740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C7000	7_2_003C7000
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C6BA0	7_2_003C6BA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C7460	7_2_003C7460
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CC740	7_2_003CC740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CBFBA	7_2_003CBFBA
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CBFC8	7_2_003CBFC8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575E58	7_2_00575E58
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057F460	7_2_0057F460
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057EE10	7_2_0057EE10
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057D4E0	7_2_0057D4E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057E178	7_2_0057E178
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057DB30	7_2_0057DB30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057E7C0	7_2_0057E7C0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00579459	7_2_00579459
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574448	7_2_00574448
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AA48	7_2_0057AA48
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571471	7_2_00571471
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00579468	7_2_00579468
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00577A10	7_2_00577A10
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571018	7_2_00571018
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575A00	7_2_00575A00
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057443E	7_2_0057443E
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572A38	7_2_00572A38
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AA38	7_2_0057AA38
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571028	7_2_00571028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057C028	7_2_0057C028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572A28	7_2_00572A28
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005732D9	7_2_005732D9
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005718D8	7_2_005718D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057C8D8	7_2_0057C8D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005718C9	7_2_005718C9
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00576CC8	7_2_00576CC8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574CF8	7_2_00574CF8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574CEA	7_2_00574CEA
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005732E8	7_2_005732E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005798E8	7_2_005798E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572E90	7_2_00572E90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574890	7_2_00574890
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AE90	7_2_0057AE90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00577698	7_2_00577698
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572E81	7_2_00572E81
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571480	7_2_00571480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057C480	7_2_0057C480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00576CBC	7_2_00576CBC
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005748A0	7_2_005748A0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AEA0	7_2_0057AEA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575150	7_2_00575150
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573740	7_2_00573740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00579D40	7_2_00579D40
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575140	7_2_00575140
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570778	7_2_00570778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B778	7_2_0057B778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572178	7_2_00572178
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B767	7_2_0057B767
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570768	7_2_00570768
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B311	7_2_0057B311
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570310	7_2_00570310
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00578708	7_2_00578708
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573732	7_2_00573732
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571D30	7_2_00571D30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570320	7_2_00570320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B320	7_2_0057B320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571D20	7_2_00571D20
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005725D1	7_2_005725D1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570BD0	7_2_00570BD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057BBD0	7_2_0057BBD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570BC2	7_2_00570BC2
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057BBC1	7_2_0057BBC1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005759F2	7_2_005759F2
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573FF0	7_2_00573FF0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A5F0	7_2_0057A5F0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A5E1	7_2_0057A5E1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005725E0	7_2_005725E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573FEA	7_2_00573FEA
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573B98	7_2_00573B98
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A198	7_2_0057A198
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575598	7_2_00575598
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572188	7_2_00572188
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573B88	7_2_00573B88
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A188	7_2_0057A188
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005755A8	7_2_005755A8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690040	7_2_00690040
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690CD8	7_2_00690CD8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690690	7_2_00690690
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690006	7_2_00690006

Yara signature match

Source: Bank Slip 2.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: FcdBUj68lnCbMtB[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: obie8920193.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: _0020.SetAccessControl
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: _0020.SetAccessControl
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: _0020.SetAccessControl
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: 5.2.obie8920193.exe.4c0000.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 5.2.obie8920193.exe.2734d44.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 5.2.obie8920193.exe.2755f14.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@9/14@25/5

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nk Slip 2.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR737A.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......a..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......m..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.L..................................s.................... ........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s....................$........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......!..........................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......3..........................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......?..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......]..........................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......o..........................s....................l........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......{..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Bank Slip 2.doc

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Bank Slip 2.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Bank Slip 2.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: FcdBUj68lnCbMtB[1].exe.2.dr, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: obie8920193.exe.2.dr, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D5355 push esp; ret	2_2_005D5357
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D887D push dword ptr [esi+ebp*4-4Eh]; ret	2_2_005D8883
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005CA67E push ecx; iretd	2_2_005CA67F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D667A push esp; ret	2_2_005D667B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D666A push esp; ret	2_2_005D666B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005C8F60 push eax; retf	2_2_005C8F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6319 push ebp; ret	2_2_005D631B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6311 push ebp; ret	2_2_005D6313
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D4E01 push ebx; ret	2_2_005D4E1B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D4E2A push ebx; ret	2_2_005D4E2B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6C25 push esp; ret	2_2_005D6C27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D4E22 push ebx; ret	2_2_005D4E23
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D66D1 push esp; ret	2_2_005D66EB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6ACC push esi; ret	2_2_005D6B2B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005CA6CE push ecx; iretd	2_2_005CA6CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6ACA push esi; ret	2_2_005D6ACB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005C01F4 push eax; retf	2_2_005C01F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D448F push esp; ret	2_2_005D4493
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005CC288 pushad ; retn 005Ch	2_2_005CC289
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D66B0 push esp; ret	2_2_005D66B3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D66AA push esp; ret	2_2_005D66AB

Source: FcdBUj68lnCbMtB[1].exe.2.dr	Static PE information: section name: .text entropy: 7.956474075976922
Source: obie8920193.exe.2.dr	Static PE information: section name: .text entropy: 7.956474075976922

Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, zSxtCKQlluoBoaYfXp.cs	High entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, Oas0CkJLP86ncCAk06.cs	High entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, XknLE6sxi0AB9TbxvRc.cs	High entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, dvDQ8ooxdtG6SWtXGT.cs	High entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, GgKL0Eg5Wkhg2YdC0x.cs	High entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, yT6mC6B4fPpfSn1yjG.cs	High entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, DPIJJa2JNOwrGoKDAd.cs	High entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	High entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, C7Kf5VfB7dASIKDlYf.cs	High entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, w54Wwi7tk9esttsuBg.cs	High entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, va4sUbS6hEyNbApReb.cs	High entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, D2UDibly6dG7h6hnQq.cs	High entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, Qh9yHxsORTqQFMRRqnU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, KGQivG4jZoZqi3K2bp.cs	High entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	High entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, c8JUhb5EhV7YevbYMr.cs	High entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, xUxCqCtuE8HCR9gjRX.cs	High entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, sM5uBfyrWcuZmGJ521.cs	High entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, kQMY18YRSxSjPa7Enu.cs	High entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, zSxtCKQlluoBoaYfXp.cs	High entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, Oas0CkJLP86ncCAk06.cs	High entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, XknLE6sxi0AB9TbxvRc.cs	High entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, dvDQ8ooxdtG6SWtXGT.cs	High entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, GgKL0Eg5Wkhg2YdC0x.cs	High entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, yT6mC6B4fPpfSn1yjG.cs	High entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, DPIJJa2JNOwrGoKDAd.cs	High entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	High entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, C7Kf5VfB7dASIKDlYf.cs	High entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, w54Wwi7tk9esttsuBg.cs	High entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, va4sUbS6hEyNbApReb.cs	High entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, D2UDibly6dG7h6hnQq.cs	High entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, Qh9yHxsORTqQFMRRqnU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, KGQivG4jZoZqi3K2bp.cs	High entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	High entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, c8JUhb5EhV7YevbYMr.cs	High entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, xUxCqCtuE8HCR9gjRX.cs	High entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, sM5uBfyrWcuZmGJ521.cs	High entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, kQMY18YRSxSjPa7Enu.cs	High entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, zSxtCKQlluoBoaYfXp.cs	High entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, Oas0CkJLP86ncCAk06.cs	High entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, XknLE6sxi0AB9TbxvRc.cs	High entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, dvDQ8ooxdtG6SWtXGT.cs	High entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, GgKL0Eg5Wkhg2YdC0x.cs	High entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, yT6mC6B4fPpfSn1yjG.cs	High entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, DPIJJa2JNOwrGoKDAd.cs	High entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	High entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, C7Kf5VfB7dASIKDlYf.cs	High entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, w54Wwi7tk9esttsuBg.cs	High entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, va4sUbS6hEyNbApReb.cs	High entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, D2UDibly6dG7h6hnQq.cs	High entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, Qh9yHxsORTqQFMRRqnU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, KGQivG4jZoZqi3K2bp.cs	High entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	High entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, c8JUhb5EhV7YevbYMr.cs	High entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, xUxCqCtuE8HCR9gjRX.cs	High entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, sM5uBfyrWcuZmGJ521.cs	High entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, kQMY18YRSxSjPa7Enu.cs	High entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obie8920193.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 8010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 54B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 9010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 58B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 2230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 5E0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 600000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2933	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Window / User API: threadDelayed 9721	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1764	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3380	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3392	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3384	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3416	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3416	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3420	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3420	Thread sleep count: 9721 > 30	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3500	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Code function: 7_2_003CFCB8 LdrInitializeThunk,

7_2_003CFCB8

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Memory written: C:\Users\user\AppData\Roaming\obie8920193.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Queries volume information: C:\Users\user\AppData\Roaming\obie8920193.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Queries volume information: C:\Users\user\AppData\Roaming\obie8920193.exe VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.6.168	unknown	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	unknown	United States	31898	ORACLE-BMC-31898US	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.53.203	ampol.top	United States	13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
ampol.top	104.21.53.203	true
reallyfreegeoip.org	188.114.96.3	true
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown
https://ampol.top/FcdBUj68lnCbMtB.exe	true	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://ampol.top/FcdBUj68lnCbMtB.exe	Avira URL Cloud: Label: malware
Source: https://ampol.top/FcdBUj68lnCbMtB.exej	Avira URL Cloud: Label: malware
Source: https://ampol.top/	Avira URL Cloud: Label: malware
Source: https://ampol.top/FcdBUj68lnCbMtB.exettC:	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: Bank Slip 2.doc

ReversingLabs: Detection: 39%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.53.203 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.53.203:443 -> 192.168.2.22:49163 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 001C289Bh	5_2_001C230D
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_003C5038
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C7B81h	7_2_003C78C1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C5D07h	7_2_003C5B18
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C6691h	7_2_003C5B18
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C8143h	7_2_003C7D30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C6A01h	7_2_003C6740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C72C1h	7_2_003C7000
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C8143h	7_2_003C8072
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C6E61h	7_2_003C6BA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 003C7721h	7_2_003C7460
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005746F1h	7_2_00574448
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057ACF1h	7_2_0057AA48
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00579711h	7_2_00579468
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00575CA9h	7_2_00575A00
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00572CE1h	7_2_00572A38
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005712D1h	7_2_00571028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057C2D1h	7_2_0057C028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00571B81h	7_2_005718D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057CC15h	7_2_0057C8D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00574FA1h	7_2_00574CF8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00573591h	7_2_005732E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00579B91h	7_2_005798E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00573139h	7_2_00572E90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_00577698
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00571729h	7_2_00571480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057C729h	7_2_0057C480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00574B49h	7_2_005748A0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057B149h	7_2_0057AEA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005753F9h	7_2_00575150
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005739E9h	7_2_00573740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00579FE9h	7_2_00579D40
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00570A21h	7_2_00570778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057BA21h	7_2_0057B778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00571FD9h	7_2_00571D30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 005705C9h	7_2_00570320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057B5CAh	7_2_0057B320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00570E79h	7_2_00570BD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057BE79h	7_2_0057BBD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00574299h	7_2_00573FF0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057A899h	7_2_0057A5F0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00572889h	7_2_005725E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00573E41h	7_2_00573B98
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 0057A441h	7_2_0057A198
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00572431h	7_2_00572188
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_005779AE
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 4x nop then jmp 00575851h	7_2_005755A8

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: ampol.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
Source: global traffic	TCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /FcdBUj68lnCbMtB.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ampol.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57BE0F5E-0BF5-4CE6-96F3-B3AC962F851D}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /FcdBUj68lnCbMtB.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ampol.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ampol.top
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: obie8920193.exe, 00000007.00000002.864677424.00000000022C5000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023A0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: obie8920193.exe, 00000007.00000002.865491806.0000000005884000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: obie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.865491806.0000000005870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.865491806.0000000005870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: obie8920193.exe, 00000005.00000002.366421408.0000000002571000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
Source: obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exe
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exej
Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exettC:
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: obie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EQNEDT32.EXE, 00000002.00000002.354913231.0000000004379000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443

Source: unknown

HTTPS traffic detected: 104.21.53.203:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Bank Slip 2.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obie8920193.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_001C1C58	5_2_001C1C58
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_002605E0	5_2_002605E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026F0C8	5_2_0026F0C8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_002612C9	5_2_002612C9
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026E370	5_2_0026E370
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026E7A8	5_2_0026E7A8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026E798	5_2_0026E798
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026FA60	5_2_0026FA60
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026FA70	5_2_0026FA70
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 5_2_0026EC90	5_2_0026EC90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C5038	7_2_003C5038
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3055	7_2_003C3055
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3891	7_2_003C3891
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C78C1	7_2_003C78C1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C4130	7_2_003C4130
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C2910	7_2_003C2910
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CD1D8	7_2_003CD1D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C8A19	7_2_003C8A19
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C5B18	7_2_003C5B18
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3B72	7_2_003C3B72
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C2BF1	7_2_003C2BF1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C844A	7_2_003C844A
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C35B0	7_2_003C35B0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C3E50	7_2_003C3E50
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CC750	7_2_003CC750
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C6740	7_2_003C6740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C7000	7_2_003C7000
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C6BA0	7_2_003C6BA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003C7460	7_2_003C7460
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CC740	7_2_003CC740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CBFBA	7_2_003CBFBA
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_003CBFC8	7_2_003CBFC8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575E58	7_2_00575E58
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057F460	7_2_0057F460
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057EE10	7_2_0057EE10
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057D4E0	7_2_0057D4E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057E178	7_2_0057E178
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057DB30	7_2_0057DB30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057E7C0	7_2_0057E7C0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00579459	7_2_00579459
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574448	7_2_00574448
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AA48	7_2_0057AA48
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571471	7_2_00571471
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00579468	7_2_00579468
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00577A10	7_2_00577A10
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571018	7_2_00571018
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575A00	7_2_00575A00
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057443E	7_2_0057443E
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572A38	7_2_00572A38
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AA38	7_2_0057AA38
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571028	7_2_00571028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057C028	7_2_0057C028
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572A28	7_2_00572A28
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005732D9	7_2_005732D9
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005718D8	7_2_005718D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057C8D8	7_2_0057C8D8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005718C9	7_2_005718C9
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00576CC8	7_2_00576CC8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574CF8	7_2_00574CF8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574CEA	7_2_00574CEA
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005732E8	7_2_005732E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005798E8	7_2_005798E8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572E90	7_2_00572E90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00574890	7_2_00574890
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AE90	7_2_0057AE90
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00577698	7_2_00577698
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572E81	7_2_00572E81
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571480	7_2_00571480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057C480	7_2_0057C480
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00576CBC	7_2_00576CBC
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005748A0	7_2_005748A0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057AEA0	7_2_0057AEA0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575150	7_2_00575150
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573740	7_2_00573740
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00579D40	7_2_00579D40
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575140	7_2_00575140
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570778	7_2_00570778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B778	7_2_0057B778
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572178	7_2_00572178
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B767	7_2_0057B767
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570768	7_2_00570768
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B311	7_2_0057B311
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570310	7_2_00570310
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00578708	7_2_00578708
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573732	7_2_00573732
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571D30	7_2_00571D30
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570320	7_2_00570320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057B320	7_2_0057B320
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00571D20	7_2_00571D20
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005725D1	7_2_005725D1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570BD0	7_2_00570BD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057BBD0	7_2_0057BBD0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00570BC2	7_2_00570BC2
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057BBC1	7_2_0057BBC1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005759F2	7_2_005759F2
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573FF0	7_2_00573FF0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A5F0	7_2_0057A5F0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A5E1	7_2_0057A5E1
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005725E0	7_2_005725E0
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573FEA	7_2_00573FEA
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573B98	7_2_00573B98
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A198	7_2_0057A198
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00575598	7_2_00575598
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00572188	7_2_00572188
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00573B88	7_2_00573B88
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_0057A188	7_2_0057A188
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_005755A8	7_2_005755A8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690040	7_2_00690040
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690CD8	7_2_00690CD8
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690690	7_2_00690690
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Code function: 7_2_00690006	7_2_00690006

Yara signature match

Source: Bank Slip 2.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: FcdBUj68lnCbMtB[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: obie8920193.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: _0020.SetAccessControl
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: _0020.SetAccessControl
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: _0020.SetAccessControl
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: 5.2.obie8920193.exe.4c0000.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 5.2.obie8920193.exe.2734d44.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 5.2.obie8920193.exe.2755f14.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@9/14@25/5

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nk Slip 2.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR737A.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......a..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......m..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.L..................................s.................... ........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s....................$........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......!..........................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......3..........................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......?..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......]..........................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......o..........................s....................l........./.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......{..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................L..................................s............................../.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L..................................s............................../.............	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Bank Slip 2.doc

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Bank Slip 2.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Bank Slip 2.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: FcdBUj68lnCbMtB[1].exe.2.dr, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: obie8920193.exe.2.dr, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D5355 push esp; ret	2_2_005D5357
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D887D push dword ptr [esi+ebp*4-4Eh]; ret	2_2_005D8883
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005CA67E push ecx; iretd	2_2_005CA67F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D667A push esp; ret	2_2_005D667B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D666A push esp; ret	2_2_005D666B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005C8F60 push eax; retf	2_2_005C8F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6319 push ebp; ret	2_2_005D631B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6311 push ebp; ret	2_2_005D6313
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D4E01 push ebx; ret	2_2_005D4E1B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D4E2A push ebx; ret	2_2_005D4E2B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6C25 push esp; ret	2_2_005D6C27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D4E22 push ebx; ret	2_2_005D4E23
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D66D1 push esp; ret	2_2_005D66EB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6ACC push esi; ret	2_2_005D6B2B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005CA6CE push ecx; iretd	2_2_005CA6CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D6ACA push esi; ret	2_2_005D6ACB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005C01F4 push eax; retf	2_2_005C01F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D448F push esp; ret	2_2_005D4493
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005CC288 pushad ; retn 005Ch	2_2_005CC289
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D66B0 push esp; ret	2_2_005D66B3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005D66AA push esp; ret	2_2_005D66AB

Source: FcdBUj68lnCbMtB[1].exe.2.dr	Static PE information: section name: .text entropy: 7.956474075976922
Source: obie8920193.exe.2.dr	Static PE information: section name: .text entropy: 7.956474075976922

Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, zSxtCKQlluoBoaYfXp.cs	High entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, Oas0CkJLP86ncCAk06.cs	High entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, XknLE6sxi0AB9TbxvRc.cs	High entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, dvDQ8ooxdtG6SWtXGT.cs	High entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, GgKL0Eg5Wkhg2YdC0x.cs	High entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, yT6mC6B4fPpfSn1yjG.cs	High entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, DPIJJa2JNOwrGoKDAd.cs	High entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	High entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, C7Kf5VfB7dASIKDlYf.cs	High entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, w54Wwi7tk9esttsuBg.cs	High entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, va4sUbS6hEyNbApReb.cs	High entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, D2UDibly6dG7h6hnQq.cs	High entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, Qh9yHxsORTqQFMRRqnU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, KGQivG4jZoZqi3K2bp.cs	High entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs	High entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, c8JUhb5EhV7YevbYMr.cs	High entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, xUxCqCtuE8HCR9gjRX.cs	High entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, sM5uBfyrWcuZmGJ521.cs	High entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, kQMY18YRSxSjPa7Enu.cs	High entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, zSxtCKQlluoBoaYfXp.cs	High entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, Oas0CkJLP86ncCAk06.cs	High entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, XknLE6sxi0AB9TbxvRc.cs	High entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, dvDQ8ooxdtG6SWtXGT.cs	High entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, GgKL0Eg5Wkhg2YdC0x.cs	High entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, yT6mC6B4fPpfSn1yjG.cs	High entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, DPIJJa2JNOwrGoKDAd.cs	High entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	High entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, C7Kf5VfB7dASIKDlYf.cs	High entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, w54Wwi7tk9esttsuBg.cs	High entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, va4sUbS6hEyNbApReb.cs	High entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, D2UDibly6dG7h6hnQq.cs	High entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, Qh9yHxsORTqQFMRRqnU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, KGQivG4jZoZqi3K2bp.cs	High entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs	High entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, c8JUhb5EhV7YevbYMr.cs	High entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, xUxCqCtuE8HCR9gjRX.cs	High entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, sM5uBfyrWcuZmGJ521.cs	High entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, kQMY18YRSxSjPa7Enu.cs	High entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, zSxtCKQlluoBoaYfXp.cs	High entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, Oas0CkJLP86ncCAk06.cs	High entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, XknLE6sxi0AB9TbxvRc.cs	High entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, dvDQ8ooxdtG6SWtXGT.cs	High entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, GgKL0Eg5Wkhg2YdC0x.cs	High entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, yT6mC6B4fPpfSn1yjG.cs	High entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, DPIJJa2JNOwrGoKDAd.cs	High entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, BR4r9SHUAmvVNPGE5t.cs	High entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, C7Kf5VfB7dASIKDlYf.cs	High entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, w54Wwi7tk9esttsuBg.cs	High entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, va4sUbS6hEyNbApReb.cs	High entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, D2UDibly6dG7h6hnQq.cs	High entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, Qh9yHxsORTqQFMRRqnU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, KGQivG4jZoZqi3K2bp.cs	High entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs	High entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, c8JUhb5EhV7YevbYMr.cs	High entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, xUxCqCtuE8HCR9gjRX.cs	High entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, sM5uBfyrWcuZmGJ521.cs	High entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, kQMY18YRSxSjPa7Enu.cs	High entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obie8920193.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 8010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 54B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 9010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 58B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 2230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Memory allocated: 5E0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 600000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2933	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Window / User API: threadDelayed 9721	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1764	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3380	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3392	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3384	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3416	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3416	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3420	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3420	Thread sleep count: 9721 > 30	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3500	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Code function: 7_2_003CFCB8 LdrInitializeThunk,

7_2_003CFCB8

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

Memory written: C:\Users\user\AppData\Roaming\obie8920193.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Process created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Queries volume information: C:\Users\user\AppData\Roaming\obie8920193.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obie8920193.exe	Queries volume information: C:\Users\user\AppData\Roaming\obie8920193.exe VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\obie8920193.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

Windows Analysis Report
Bank Slip 2.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1465556
Product:	CloudBasic
Start time:	20:05:15
Start date:	01.07.2024
Sample:	Bank Slip 2.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	ff06a87dd0550386be1f780d560f1877
SHA1:	69e95738ec635520a508f7424a759261e5032cb0
SHA256:	511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DBDACF479A9DD40133701E06E6DC401C	5E78767CF2498D34FC27674FF326F2A7CE5AB2A3	A597F53ED7D5E4CC1AF67800969953F431C7C99467D75A42E3DB360D7302283C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B37302F7-876E-4976-9F51-EE39DA847933}.tmp	data	CE338FE6899778AACFC28414F2D9498B	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{29430A93-7164-4349-8A64-66C896FAA64C}.tmp	data	579E4057D3780D9D70F542FA611E7DC6	8BF86DD3DB525335BBD308999427520ACC530552	4EE9F7F074D9276AB50B886AC35B39F58A8AEA03486CA5C2F5D5CB9909FCC654
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{357DB24A-0983-48BF-8598-FD9D4AAB4B4E}.tmp	data	FA901E7FCD2D72CCAD762E6F4E67345A	87DA4FC64F137B5C84C440C3EA31D52646BFA830	26CDB44AD37C36DFA9F40D19FFE63F8D0034E0887481DECCD09449AC5CDFB1F5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57BE0F5E-0BF5-4CE6-96F3-B3AC962F851D}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\21umizuh.yjs.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\oygt2vjk.eyq.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bank Slip 2.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Mon Jul 1 17:06:03 2024, length=424988, window=hide	B835129373E7F5EED717412B30BB172E	25DBF2E5E4DF7AC2E31F87FF9AC41ED7776378E5	D8CBEF2A456739AC1E0FB2DD3441023F0049EF92AD8FEE861ACC623AF51F465B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	5CCBE259BC7302620DEE438CE2CDE35B	158323D4D5E544D1A4D755855E4278978FEF345F	0EA5DFD0DC5E9DA1F2139AD6B340C6703E0B02282617453CEC09A683F41CB05C
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\obie8920193.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DBDACF479A9DD40133701E06E6DC401C	5E78767CF2498D34FC27674FF326F2A7CE5AB2A3	A597F53ED7D5E4CC1AF67800969953F431C7C99467D75A42E3DB360D7302283C
C:\Users\user\Desktop\~$nk Slip 2.doc	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1

Windows Analysis Report Bank Slip 2.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Bank Slip 2.doc

Malware Threat Intel
Provided by