Windows Analysis Report
OVER DUE INVOICE PAYMENT.docx.doc

Overview

General Information

Sample name:	OVER DUE INVOICE PAYMENT.docx.doc
Analysis ID:	1467841
MD5:	9f3fd4e8aa2ad81966d0c2a036d1e901
SHA1:	80a58393acb58fcc666e56b514994d98ba3f4716
SHA256:	cd9cf022180c8c6f6c4fb0d76476bf2e9382128d28a4686114c50448934e5381
Tags:	doc
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains an external reference to another file

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Microsoft Office drops suspicious files

Office drops RTF file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Microsoft Office Child Process

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains Microsoft Equation 3.0 OLE entries

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: SCR File Write Event

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Screensaver Binary File Creation

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://riell.top/obb.scr

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Found malware configuration

Source: 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reservation@artefes.com", "Password": "ArtEfes4765*+", "Host": "mail.artefes.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\obi23456.scr	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: OVER DUE INVOICE PAYMENT.docx.doc

ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 188.114.97.3 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to behavior

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr

Stream path '_1781612666/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: obi23456.scr, 0000000A.00000002.417529163.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.414654030.0000000000550000.00000004.08000000.00040000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_00505038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00507B81h	11_2_005078C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00505D07h	11_2_00505B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00506691h	11_2_00505B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00508143h	11_2_00507D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00506A01h	11_2_00506740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_0050584B
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00508143h	11_2_00508072
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 005072C1h	11_2_00507000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00506E61h	11_2_00506BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00507721h	11_2_00507460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00508143h	11_2_00507D20
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_0050566A
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA2889h	11_2_01EA25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAA899h	11_2_01EAA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA5851h	11_2_01EA55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_01EA79AE
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA2431h	11_2_01EA2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAA441h	11_2_01EAA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA9FE9h	11_2_01EA9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA53F9h	11_2_01EA5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA1FD9h	11_2_01EA1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA9B91h	11_2_01EA98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA4FA1h	11_2_01EA4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA1B81h	11_2_01EA18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EACC15h	11_2_01EAC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA4B49h	11_2_01EA48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA1729h	11_2_01EA1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAC729h	11_2_01EAC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA9711h	11_2_01EA9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA46F1h	11_2_01EA4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA12D1h	11_2_01EA1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAC2D1h	11_2_01EAC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA4299h	11_2_01EA3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA0E79h	11_2_01EA0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EABE79h	11_2_01EABBD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA3E41h	11_2_01EA3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA0A21h	11_2_01EA0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EABA21h	11_2_01EAB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA39E9h	11_2_01EA3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA05C9h	11_2_01EA0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAB5CAh	11_2_01EAB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA3591h	11_2_01EA32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAB149h	11_2_01EAAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_01EA7688
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_01EA7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA3139h	11_2_01EA2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAACF1h	11_2_01EAAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA2CE1h	11_2_01EA2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA5CA9h	11_2_01EA5A00

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E99E1800-284E-46BB-8918-39BEC0D2E5EE}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: riell.top
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000236A000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000231B000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: obi23456.scr, 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937905097.0000000005444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937905097.0000000005444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002340000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023D2000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000236A000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023D2000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: obi23456.scr, 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000236A000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023D2000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: EQNEDT32.EXE, 00000009.00000003.412467105.0000000000952000.00000004.00000020.00020000.00000000.sdmp, riell.top.url.0.dr	String found in binary or memory: https://riell.top/
Source: obb.doc.url.0.dr	String found in binary or memory: https://riell.top/obb.doc
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000002.412653701.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.413385688.0000000004180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scr
Source: EQNEDT32.EXE, 00000009.00000002.413385688.0000000004180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrMC:
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrgn
Source: EQNEDT32.EXE, 00000009.00000002.412653701.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrhhC:
Source: EQNEDT32.EXE, 00000009.00000002.412653701.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrj
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.obi23456.scr.310000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.310000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.2409714.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.2406ed4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.414496758.0000000000310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56784164.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\obb.doc.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\riell.top.url			Jump to behavior

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_0018425F	10_2_0018425F
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503065	11_2_00503065
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00505038	11_2_00505038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_005078C1	11_2_005078C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503891	11_2_00503891
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00502910	11_2_00502910
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00504130	11_2_00504130
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050D1D8	11_2_0050D1D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503B73	11_2_00503B73
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00505B18	11_2_00505B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00502BF3	11_2_00502BF3
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050844D	11_2_0050844D
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00508D78	11_2_00508D78
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_005035B0	11_2_005035B0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503E50	11_2_00503E50
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050C750	11_2_0050C750
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00506740	11_2_00506740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00507000	11_2_00507000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00505028	11_2_00505028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00506BA0	11_2_00506BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00507460	11_2_00507460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050C740	11_2_0050C740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050BFC8	11_2_0050BFC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050BFBC	11_2_0050BFBC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE178	11_2_01EAE178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAD4E0	11_2_01EAD4E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA6CC8	11_2_01EA6CC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF460	11_2_01EAF460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE7C0	11_2_01EAE7C0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EADB30	11_2_01EADB30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5E58	11_2_01EA5E58
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE10	11_2_01EAEE10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA25E0	11_2_01EA25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA5E1	11_2_01EAA5E1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA5F0	11_2_01EAA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA59F4	11_2_01EA59F4
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA25D1	11_2_01EA25D1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA55A8	11_2_01EA55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA55A5	11_2_01EA55A5
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2188	11_2_01EA2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA188	11_2_01EAA188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA198	11_2_01EAA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA190	11_2_01EAA190
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE168	11_2_01EAE168
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE16C	11_2_01EAE16C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2178	11_2_01EA2178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9D40	11_2_01EA9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5140	11_2_01EA5140
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5150	11_2_01EA5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1D20	11_2_01EA1D20
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1D30	11_2_01EA1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9D31	11_2_01EA9D31
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA98E8	11_2_01EA98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4CF8	11_2_01EA4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4CF0	11_2_01EA4CF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8C8	11_2_01EAC8C8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA18C9	11_2_01EA18C9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAD4CF	11_2_01EAD4CF
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8CC	11_2_01EAC8CC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA18D8	11_2_01EA18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8D8	11_2_01EAC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA98D8	11_2_01EA98D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAD4D8	11_2_01EAD4D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8D0	11_2_01EAC8D0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA48A0	11_2_01EA48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA6CBC	11_2_01EA6CBC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1480	11_2_01EA1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC480	11_2_01EAC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4890	11_2_01EA4890
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9468	11_2_01EA9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC47C	11_2_01EAC47C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC470	11_2_01EAC470
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1471	11_2_01EA1471
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4448	11_2_01EA4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9459	11_2_01EA9459
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA945C	11_2_01EA945C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF45C	11_2_01EAF45C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF451	11_2_01EAF451
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF454	11_2_01EAF454
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1028	11_2_01EA1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC028	11_2_01EAC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA443C	11_2_01EA443C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1018	11_2_01EA1018
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC019	11_2_01EAC019
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC01C	11_2_01EAC01C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3FED	11_2_01EA3FED
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3FF0	11_2_01EA3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EABBC1	11_2_01EABBC1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0BC4	11_2_01EA0BC4
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0BD0	11_2_01EA0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EABBD0	11_2_01EABBD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE7BC	11_2_01EAE7BC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE7B0	11_2_01EAE7B0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3B88	11_2_01EA3B88
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3B98	11_2_01EA3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0768	11_2_01EA0768
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB767	11_2_01EAB767
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0778	11_2_01EA0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB778	11_2_01EAB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB774	11_2_01EAB774
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3740	11_2_01EA3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0320	11_2_01EA0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB320	11_2_01EAB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EADB21	11_2_01EADB21
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EADB24	11_2_01EADB24
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3738	11_2_01EA3738
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA8708	11_2_01EA8708
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB318	11_2_01EAB318
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB31C	11_2_01EAB31C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0310	11_2_01EA0310
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB311	11_2_01EAB311
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA32E8	11_2_01EA32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA32D9	11_2_01EA32D9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAEA0	11_2_01EAAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA7688	11_2_01EA7688
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2E81	11_2_01EA2E81
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA7698	11_2_01EA7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2E90	11_2_01EA2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAE90	11_2_01EAAE90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA48	11_2_01EAAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA40	11_2_01EAAA40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2A28	11_2_01EA2A28
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2A38	11_2_01EA2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA38	11_2_01EAAA38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA3C	11_2_01EAAA3C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE08	11_2_01EAEE08
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE0C	11_2_01EAEE0C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5A00	11_2_01EA5A00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE00	11_2_01EAEE00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA7A10	11_2_01EA7A10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90CD8	11_2_01F90CD8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90690	11_2_01F90690
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90040	11_2_01F90040
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90CC8	11_2_01F90CC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90CCC	11_2_01F90CCC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90680	11_2_01F90680
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90038	11_2_01F90038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90006	11_2_01F90006

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 10.2.obi23456.scr.310000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.3407b70.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.310000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.2409714.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.2406ed4.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.414496758.0000000000310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56784164.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.310000.0.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 10.2.obi23456.scr.310000.0.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@6/19@36/7

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ER DUE INVOICE PAYMENT.docx.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB06A.tmp

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.doc

OLE indicator, Word Document stream: true

Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.doc

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: gpapi.dll	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\OVER DUE INVOICE PAYMENT.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.doc

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: OVER DUE INVOICE PAYMENT.docx.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains potential unpacker

Source: obb[1].scr.9.dr, ----.cs	.Net Code: CreateProvider
Source: obi23456.scr.9.dr, ----.cs	.Net Code: CreateProvider

Binary contains a suspicious time stamp

Source: obb[1].scr.9.dr

Static PE information: 0x922C3AB8 [Tue Sep 17 22:29:12 2047 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00915DDA push esi; ret	9_2_00915DDB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_009001F4 push eax; retf	9_2_009001F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00915DE2 push esi; ret	9_2_00915DE3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00915DEA push esi; ret	9_2_00915DEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00908F4B push 50000503h; retf	9_2_00908F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00917162 push esi; ret	9_2_00917163
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EACE5A push ds; retf	11_2_01EACE5C

Source: obb[1].scr.9.dr	Static PE information: section name: .text entropy: 7.37475269907409
Source: obi23456.scr.9.dr	Static PE information: section name: .text entropy: 7.37475269907409

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://riell.top/obb.doc

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: obb[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 56784164.doc.0.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 2280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 750000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Window / User API: threadDelayed 537			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Window / User API: threadDelayed 9278			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3456	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3636	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3716	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3716	Thread sleep time: -6000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3744	Thread sleep count: 537 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3744	Thread sleep count: 9278 > 30	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Code function: 11_2_0050FCB8 LdrInitializeThunk,

11_2_0050FCB8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 10.2.obi23456.scr.550000.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 10.2.obi23456.scr.550000.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 10.2.obi23456.scr.550000.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory written: C:\Users\user\AppData\Roaming\obi23456.scr base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	unknown	United States	16989	UTMEMUS	false
188.114.97.3	riell.top	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	unknown	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
158.101.44.242	unknown	United States	31898	ORACLE-BMC-31898US	false
132.226.247.73	unknown	United States	16989	UTMEMUS	false

Contacted Domains

Name	IP	Active
reallyfreegeoip.org	188.114.96.3	true
riell.top	188.114.97.3	true
checkip.dyndns.com	193.122.130.0	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://riell.top/obb.scr	true	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://riell.top/obb.doc	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://riell.top/obb.scr

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Found malware configuration

Source: 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reservation@artefes.com", "Password": "ArtEfes4765*+", "Host": "mail.artefes.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\obi23456.scr	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: OVER DUE INVOICE PAYMENT.docx.doc

ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 188.114.97.3 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to behavior

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr

Stream path '_1781612666/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

Source:

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_00505038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00507B81h	11_2_005078C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00505D07h	11_2_00505B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00506691h	11_2_00505B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00508143h	11_2_00507D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00506A01h	11_2_00506740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_0050584B
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00508143h	11_2_00508072
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 005072C1h	11_2_00507000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00506E61h	11_2_00506BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00507721h	11_2_00507460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 00508143h	11_2_00507D20
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_0050566A
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA2889h	11_2_01EA25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAA899h	11_2_01EAA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA5851h	11_2_01EA55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_01EA79AE
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA2431h	11_2_01EA2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAA441h	11_2_01EAA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA9FE9h	11_2_01EA9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA53F9h	11_2_01EA5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA1FD9h	11_2_01EA1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA9B91h	11_2_01EA98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA4FA1h	11_2_01EA4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA1B81h	11_2_01EA18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EACC15h	11_2_01EAC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA4B49h	11_2_01EA48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA1729h	11_2_01EA1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAC729h	11_2_01EAC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA9711h	11_2_01EA9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA46F1h	11_2_01EA4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA12D1h	11_2_01EA1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAC2D1h	11_2_01EAC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA4299h	11_2_01EA3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA0E79h	11_2_01EA0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EABE79h	11_2_01EABBD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA3E41h	11_2_01EA3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA0A21h	11_2_01EA0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EABA21h	11_2_01EAB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA39E9h	11_2_01EA3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA05C9h	11_2_01EA0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAB5CAh	11_2_01EAB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA3591h	11_2_01EA32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAB149h	11_2_01EAAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_01EA7688
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_01EA7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA3139h	11_2_01EA2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EAACF1h	11_2_01EAAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA2CE1h	11_2_01EA2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 01EA5CA9h	11_2_01EA5A00

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E99E1800-284E-46BB-8918-39BEC0D2E5EE}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: riell.top
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000236A000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000231B000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: obi23456.scr, 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937905097.0000000005444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937905097.0000000005444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002340000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023D2000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000236A000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023D2000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: obi23456.scr, 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002327000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: obi23456.scr, 0000000B.00000002.937566804.00000000023DA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.000000000236A000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023D2000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002415000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.00000000023BB000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937566804.0000000002423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: EQNEDT32.EXE, 00000009.00000003.412467105.0000000000952000.00000004.00000020.00020000.00000000.sdmp, riell.top.url.0.dr	String found in binary or memory: https://riell.top/
Source: obb.doc.url.0.dr	String found in binary or memory: https://riell.top/obb.doc
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000002.412653701.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.413385688.0000000004180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scr
Source: EQNEDT32.EXE, 00000009.00000002.413385688.0000000004180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrMC:
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrgn
Source: EQNEDT32.EXE, 00000009.00000002.412653701.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrhhC:
Source: EQNEDT32.EXE, 00000009.00000002.412653701.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrj
Source: EQNEDT32.EXE, 00000009.00000003.412444845.000000000097E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.412653701.000000000097E000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000B.00000002.937364961.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.obi23456.scr.310000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.310000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.2409714.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.2406ed4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.414496758.0000000000310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56784164.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\obb.doc.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\riell.top.url			Jump to behavior

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_0018425F	10_2_0018425F
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503065	11_2_00503065
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00505038	11_2_00505038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_005078C1	11_2_005078C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503891	11_2_00503891
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00502910	11_2_00502910
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00504130	11_2_00504130
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050D1D8	11_2_0050D1D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503B73	11_2_00503B73
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00505B18	11_2_00505B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00502BF3	11_2_00502BF3
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050844D	11_2_0050844D
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00508D78	11_2_00508D78
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_005035B0	11_2_005035B0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00503E50	11_2_00503E50
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050C750	11_2_0050C750
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00506740	11_2_00506740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00507000	11_2_00507000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00505028	11_2_00505028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00506BA0	11_2_00506BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_00507460	11_2_00507460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050C740	11_2_0050C740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050BFC8	11_2_0050BFC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_0050BFBC	11_2_0050BFBC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE178	11_2_01EAE178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAD4E0	11_2_01EAD4E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA6CC8	11_2_01EA6CC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF460	11_2_01EAF460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE7C0	11_2_01EAE7C0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EADB30	11_2_01EADB30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5E58	11_2_01EA5E58
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE10	11_2_01EAEE10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA25E0	11_2_01EA25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA5E1	11_2_01EAA5E1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA5F0	11_2_01EAA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA59F4	11_2_01EA59F4
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA25D1	11_2_01EA25D1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA55A8	11_2_01EA55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA55A5	11_2_01EA55A5
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2188	11_2_01EA2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA188	11_2_01EAA188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA198	11_2_01EAA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAA190	11_2_01EAA190
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE168	11_2_01EAE168
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE16C	11_2_01EAE16C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2178	11_2_01EA2178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9D40	11_2_01EA9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5140	11_2_01EA5140
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5150	11_2_01EA5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1D20	11_2_01EA1D20
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1D30	11_2_01EA1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9D31	11_2_01EA9D31
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA98E8	11_2_01EA98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4CF8	11_2_01EA4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4CF0	11_2_01EA4CF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8C8	11_2_01EAC8C8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA18C9	11_2_01EA18C9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAD4CF	11_2_01EAD4CF
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8CC	11_2_01EAC8CC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA18D8	11_2_01EA18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8D8	11_2_01EAC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA98D8	11_2_01EA98D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAD4D8	11_2_01EAD4D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC8D0	11_2_01EAC8D0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA48A0	11_2_01EA48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA6CBC	11_2_01EA6CBC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1480	11_2_01EA1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC480	11_2_01EAC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4890	11_2_01EA4890
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9468	11_2_01EA9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC47C	11_2_01EAC47C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC470	11_2_01EAC470
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1471	11_2_01EA1471
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA4448	11_2_01EA4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA9459	11_2_01EA9459
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA945C	11_2_01EA945C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF45C	11_2_01EAF45C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF451	11_2_01EAF451
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAF454	11_2_01EAF454
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1028	11_2_01EA1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC028	11_2_01EAC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA443C	11_2_01EA443C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA1018	11_2_01EA1018
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC019	11_2_01EAC019
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAC01C	11_2_01EAC01C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3FED	11_2_01EA3FED
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3FF0	11_2_01EA3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EABBC1	11_2_01EABBC1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0BC4	11_2_01EA0BC4
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0BD0	11_2_01EA0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EABBD0	11_2_01EABBD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE7BC	11_2_01EAE7BC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAE7B0	11_2_01EAE7B0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3B88	11_2_01EA3B88
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3B98	11_2_01EA3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0768	11_2_01EA0768
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB767	11_2_01EAB767
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0778	11_2_01EA0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB778	11_2_01EAB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB774	11_2_01EAB774
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3740	11_2_01EA3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0320	11_2_01EA0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB320	11_2_01EAB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EADB21	11_2_01EADB21
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EADB24	11_2_01EADB24
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA3738	11_2_01EA3738
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA8708	11_2_01EA8708
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB318	11_2_01EAB318
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB31C	11_2_01EAB31C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA0310	11_2_01EA0310
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAB311	11_2_01EAB311
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA32E8	11_2_01EA32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA32D9	11_2_01EA32D9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAEA0	11_2_01EAAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA7688	11_2_01EA7688
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2E81	11_2_01EA2E81
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA7698	11_2_01EA7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2E90	11_2_01EA2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAE90	11_2_01EAAE90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA48	11_2_01EAAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA40	11_2_01EAAA40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2A28	11_2_01EA2A28
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA2A38	11_2_01EA2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA38	11_2_01EAAA38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAAA3C	11_2_01EAAA3C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE08	11_2_01EAEE08
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE0C	11_2_01EAEE0C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA5A00	11_2_01EA5A00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EAEE00	11_2_01EAEE00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EA7A10	11_2_01EA7A10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90CD8	11_2_01F90CD8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90690	11_2_01F90690
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90040	11_2_01F90040
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90CC8	11_2_01F90CC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90CCC	11_2_01F90CCC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90680	11_2_01F90680
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90038	11_2_01F90038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01F90006	11_2_01F90006

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 10.2.obi23456.scr.310000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.3407b70.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.310000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.2409714.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.2406ed4.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.414496758.0000000000310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56784164.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.310000.0.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.obi23456.scr.34971f0.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 10.2.obi23456.scr.3407b70.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 10.2.obi23456.scr.310000.0.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@6/19@36/7

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ER DUE INVOICE PAYMENT.docx.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB06A.tmp

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.doc

OLE indicator, Word Document stream: true

Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.doc

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: gpapi.dll	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\OVER DUE INVOICE PAYMENT.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx.doc

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: OVER DUE INVOICE PAYMENT.docx.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains potential unpacker

Source: obb[1].scr.9.dr, ----.cs	.Net Code: CreateProvider
Source: obi23456.scr.9.dr, ----.cs	.Net Code: CreateProvider

Binary contains a suspicious time stamp

Source: obb[1].scr.9.dr

Static PE information: 0x922C3AB8 [Tue Sep 17 22:29:12 2047 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00915DDA push esi; ret	9_2_00915DDB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_009001F4 push eax; retf	9_2_009001F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00915DE2 push esi; ret	9_2_00915DE3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00915DEA push esi; ret	9_2_00915DEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00908F4B push 50000503h; retf	9_2_00908F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00917162 push esi; ret	9_2_00917163
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 11_2_01EACE5A push ds; retf	11_2_01EACE5C

Source: obb[1].scr.9.dr	Static PE information: section name: .text entropy: 7.37475269907409
Source: obi23456.scr.9.dr	Static PE information: section name: .text entropy: 7.37475269907409

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://riell.top/obb.doc

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: obb[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 56784164.doc.0.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 2280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 750000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Window / User API: threadDelayed 537			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Window / User API: threadDelayed 9278			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3456	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3636	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3716	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3716	Thread sleep time: -6000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3744	Thread sleep count: 537 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3744	Thread sleep count: 9278 > 30	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Code function: 11_2_0050FCB8 LdrInitializeThunk,

11_2_0050FCB8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 10.2.obi23456.scr.550000.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 10.2.obi23456.scr.550000.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 10.2.obi23456.scr.550000.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory written: C:\Users\user\AppData\Roaming\obi23456.scr base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34b7a20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.34971f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.3407b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.937442781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.937566804.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.417577947.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3532, type: MEMORYSTR

Windows Analysis Report
OVER DUE INVOICE PAYMENT.docx.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1467841
Product:	CloudBasic
Start time:	21:37:11
Start date:	04.07.2024
Sample:	OVER DUE INVOICE PAYMENT.docx.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9f3fd4e8aa2ad81966d0c2a036d1e901
SHA1:	80a58393acb58fcc666e56b514994d98ba3f4716
SHA256:	cd9cf022180c8c6f6c4fb0d76476bf2e9382128d28a4686114c50448934e5381
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	858DBBD85F0BDAB9692F8B484A7F0D2C	0441CB3C6680D138FB0FC9BDF089DC71D4E07174	852E3D421B4154887B27542A80B3F50102F998D8D215AF9A3671D7F0E76D85E2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc	Rich Text Format data, version 1	3F9A089317AFA13A17B61D5E0F95B75E	F5129818D643FBA59BF77BC2785EEF2AF34DB679	09CC281D7242AEDDD2DE25D63EF16E9B8D190BD06D31928410FDAEF1E5A5C351
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F7BDADAFF67E573F145D2E8E32E32CD8	CFD1377D49E09ECFA842760DD9CC78CC17A34628	FE80EEADE269CE2B6688E039296FC9E9743E24F881341ADAD24E220967312316
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56784164.doc	Rich Text Format data, version 1	3F9A089317AFA13A17B61D5E0F95B75E	F5129818D643FBA59BF77BC2785EEF2AF34DB679	09CC281D7242AEDDD2DE25D63EF16E9B8D190BD06D31928410FDAEF1E5A5C351
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{56E3829F-B9EE-407D-9BA0-759B5D6DE9EF}.tmp	Composite Document File V2 Document, Cannot read section info	FEC10A763C7F9617CE078700B832E0A9	2300E26DC93B01214444321323C62ACCD8F02B67	F2083F94B8C345DB5189DAFA00C2A83349DA46C884856FD2CB8F797DB824E42E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3377BE63-CA6F-4392-A9C1-FA2F278DEB4B}.tmp	data	D190D1A931616300D3C497C0B72B3EE5	917EC82F9939F31F73888AB12D32BF715A7CDC3C	CCA8F779E41F94B453A0BB7D1EA606FF02C2857D3DE0813462D8A2B3F1626D68
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DDE2674-4367-40B6-80BF-7E7F99CD90A9}.tmp	data	CFFD575641C895B7CB170532B2057CE3	2E59F205A0B660A81681E730B0E4CDE438F80303	22744545E8FF77D2090E1D9AF5CD3368D44E4156261254EFFC234476B48CB20C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E7E0B3-D5E2-42DC-A1FC-D3619BF7B6CC}.tmp	data	AC7C710B6CA9D66ED9923D65C708B21B	756E2D7C42EF9BF05DA7EA871B077BB6DAFCD8E7	C1BEA8318A21530E776F4E3336A3F5E8AFE04F52FBB44F254304A9F36C570B68
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E99E1800-284E-46BB-8918-39BEC0D2E5EE}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{3F9F2CA1-0B11-43D2-B9EA-6D13F79A8244}	data	858DBBD85F0BDAB9692F8B484A7F0D2C	0441CB3C6680D138FB0FC9BDF089DC71D4E07174	852E3D421B4154887B27542A80B3F50102F998D8D215AF9A3671D7F0E76D85E2
C:\Users\user\AppData\Local\Temp\{A90A2188-306E-4952-AFDE-E7959AACBB71}	data	ACD3DAD77F830B641A5F046F00CFD3BB	3411C483D08249670CB5AF78633798799099318C	DF0DA4B7E7739CD7E358E00B10B3ABDE25DB79BA50509C9EC082DDC5B1B72FB5
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\OVER DUE INVOICE PAYMENT.docx.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:21 2023, mtime=Fri Aug 11 15:42:21 2023, atime=Thu Jul 4 18:38:20 2024, length=16418, window=hide	72CC07289A3030A0C53A1D3CA92DFED1	706C2C227EAB2D7B006442A619B994FC3F57E95C	A8FE29923F44084AA4F2870E8A1721F7B4412B9E713781F6C61315F795D16876
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	B9562ED1B48003DB73C159CC86AC925A	BB64918D6DE046D9DB5E3F8C52F07A8C2ABECAC3	3F92696ABA11DC01496171D0C42EC0C8FB8BECE96C284736C9F622948D72C7FE
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\obb.doc.url	MS Windows 95 Internet shortcut text (URL=<https://riell.top/obb.doc>), ASCII text, with CRLF line terminators	A085681EBB461A55BE28CF9AE262880E	2E53D304FB02FDF061F1DF2329C1876325364CBB	578E2B190FC08307F49BE0F232310D0CA9746064ED878FE41A1734B3B532546D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\riell.top.url	MS Windows 95 Internet shortcut text (URL=<https://riell.top/>), ASCII text, with CRLF line terminators	7C4B92A4C06A7AA3645579A99B8D83AE	30F8E7A48E68F04FABEDB17481970880081512D4	126F147D79C43D1F127C372D0B09EB456576358A1B71AE46459F2D1F06161D8D
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	C4615A023DC40AFFAEAE6CF07410BB43	AAE1D68C4082CABF6AEA71C7981F32928CE01843	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\obi23456.scr	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F7BDADAFF67E573F145D2E8E32E32CD8	CFD1377D49E09ECFA842760DD9CC78CC17A34628	FE80EEADE269CE2B6688E039296FC9E9743E24F881341ADAD24E220967312316
C:\Users\user\Desktop\~$ER DUE INVOICE PAYMENT.docx.doc	data	C4615A023DC40AFFAEAE6CF07410BB43	AAE1D68C4082CABF6AEA71C7981F32928CE01843	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E

Windows Analysis Report OVER DUE INVOICE PAYMENT.docx.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
OVER DUE INVOICE PAYMENT.docx.doc

Malware Threat Intel
Provided by