Windows Analysis Report
invoice.docx.doc

AV Detection

Source: https://darpexllc.top/milli.scrjjC:	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/milli.scr	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/milli.doc	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/milli.scrC:	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/milli.scrX	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/E	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/milli.scrj	Avira URL Cloud: Label: malware
Source: https://darpexllc.top/B	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{29E2E29E-E8D7-4444-B4C1-491BD16FE991}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Source: darpexllc.top	Virustotal: Detection: 6%			Perma Link
Source: https://darpexllc.top/milli.doc	Virustotal: Detection: 14%			Perma Link
Source: https://darpexllc.top/milli.scr	Virustotal: Detection: 12%			Perma Link
Source: https://darpexllc.top/milli.scrj	Virustotal: Detection: 11%			Perma Link
Source: https://darpexllc.top/	Virustotal: Detection: 6%			Perma Link

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\milli[1].scr	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\milli[1].scr	Virustotal: Detection: 33%			Perma Link
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Virustotal: Detection: 33%			Perma Link

Source: invoice.docx.doc	Virustotal: Detection: 29%			Perma Link
Source: invoice.docx.doc	ReversingLabs: Detection: 28%

Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.440945111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.440917451.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\milli[1].scr	Joe Sandbox ML: detected

Exploits

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 188.114.96.3 Port: 443

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr			Jump to behavior

Source: ~WRF{29E2E29E-E8D7-4444-B4C1-491BD16FE991}.tmp.0.dr

Stream path '_1783469528/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.22:49162 -> 188.114.96.3:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49168 version: TLS 1.2

Source:	Binary string: GYuS.pdbSHA256 source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr
Source:	Binary string: wntdll.pdb source: milliano89012.scr, milliano89012.scr, 0000000D.00000002.441036459.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: GYuS.pdb source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 4x nop then jmp 00393AB5h

10_2_00391DC0

Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top
Source: global traffic	DNS query: name: darpexllc.top

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443

Networking

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /milli.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: darpexllc.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /milli.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: darpexllc.topConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.22:49162 -> 188.114.96.3:443 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{56C650F8-251B-4F9F-9E2B-F04CCC4FE6B6}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /milli.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: darpexllc.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /milli.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: darpexllc.topConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: darpexllc.top

Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398110610.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.000000000055B000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.399403715.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398110610.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.000000000055B000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.0000000000588000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.use
Source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398110610.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.000000000055B000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.399403715.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000009.00000002.398305122.0000000000588000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000009.00000002.398305122.0000000000588000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: milliano89012.scr, 0000000A.00000002.415822878.000000000291B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: darpexllc.top.url.0.dr	String found in binary or memory: https://darpexllc.top/
Source: EQNEDT32.EXE, 00000009.00000003.398096588.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://darpexllc.top/B
Source: EQNEDT32.EXE, 00000009.00000003.398096588.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://darpexllc.top/E
Source: milli.doc.url.0.dr	String found in binary or memory: https://darpexllc.top/milli.doc
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000002.398305122.0000000000524000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398110610.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.399403715.00000000042B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://darpexllc.top/milli.scr
Source: EQNEDT32.EXE, 00000009.00000003.398110610.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.399403715.00000000042B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://darpexllc.top/milli.scrC:
Source: EQNEDT32.EXE, 00000009.00000003.398096588.000000000055B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://darpexllc.top/milli.scrX
Source: EQNEDT32.EXE, 00000009.00000002.398305122.000000000052F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://darpexllc.top/milli.scrj
Source: EQNEDT32.EXE, 00000009.00000002.398305122.000000000052F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://darpexllc.top/milli.scrjjC:
Source: EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398305122.0000000000588000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398084054.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398110610.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398096588.000000000055B000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49168 version: TLS 1.2

E-Banking Fraud

Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.440945111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.440917451.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 13.2.milliano89012.scr.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.milliano89012.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.440945111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.440917451.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\milli[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD83929C.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\milli.doc.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\darpexllc.top.url			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\milli[1].scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\milliano89012.scr			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_0042CE2F NtClose,		13_2_0042CE2F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA07AC NtCreateMutant,LdrInitializeThunk,		13_2_00DA07AC
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9F9F0 NtClose,LdrInitializeThunk,		13_2_00D9F9F0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FAE8 NtQueryInformationProcess,LdrInitializeThunk,		13_2_00D9FAE8
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FB68 NtFreeVirtualMemory,LdrInitializeThunk,		13_2_00D9FB68
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FDC0 NtQuerySystemInformation,LdrInitializeThunk,		13_2_00D9FDC0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA00C4 NtCreateFile,		13_2_00DA00C4
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA0048 NtProtectVirtualMemory,		13_2_00DA0048
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA0078 NtResumeThread,		13_2_00DA0078
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA0060 NtQuerySection,		13_2_00DA0060
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA01D4 NtSetValueKey,		13_2_00DA01D4
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA010C NtOpenDirectoryObject,		13_2_00DA010C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA0C40 NtGetContextThread,		13_2_00DA0C40
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA10D0 NtOpenProcessToken,		13_2_00DA10D0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA1148 NtOpenThread,		13_2_00DA1148
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9F8CC NtWaitForSingleObject,		13_2_00D9F8CC
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9F900 NtReadFile,		13_2_00D9F900
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9F938 NtWriteFile,		13_2_00D9F938
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA1930 NtSetContextThread,		13_2_00DA1930
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FAD0 NtAllocateVirtualMemory,		13_2_00D9FAD0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FAB8 NtQueryValueKey,		13_2_00D9FAB8
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FA50 NtEnumerateValueKey,		13_2_00D9FA50
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FA20 NtQueryInformationFile,		13_2_00D9FA20
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FBE8 NtQueryVirtualMemory,		13_2_00D9FBE8
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FBB8 NtQueryInformationToken,		13_2_00D9FBB8
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FB50 NtCreateKey,		13_2_00D9FB50
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FC90 NtUnmapViewOfSection,		13_2_00D9FC90
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FC48 NtSetInformationFile,		13_2_00D9FC48
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FC60 NtMapViewOfSection,		13_2_00D9FC60
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FC30 NtOpenProcess,		13_2_00D9FC30
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FD8C NtDelayExecution,		13_2_00D9FD8C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DA1D80 NtSuspendThread,		13_2_00DA1D80
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FD5C NtEnumerateKey,		13_2_00D9FD5C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FED0 NtAdjustPrivilegesToken,		13_2_00D9FED0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FEA0 NtReadVirtualMemory,		13_2_00D9FEA0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FE24 NtWriteVirtualMemory,		13_2_00D9FE24
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FFFC NtCreateProcessEx,		13_2_00D9FFFC
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FFB4 NtCreateSection,		13_2_00D9FFB4
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D9FF34 NtQueueApcThread,		13_2_00D9FF34

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00542F90		9_2_00542F90
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_003953B4		10_2_003953B4
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00390544		10_2_00390544
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_003994A7		10_2_003994A7
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00396A48		10_2_00396A48
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00397AF4		10_2_00397AF4
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C921C9		10_2_00C921C9
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C99E40		10_2_00C99E40
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C972E0		10_2_00C972E0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C972F0		10_2_00C972F0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C9658A		10_2_00C9658A
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C97728		10_2_00C97728
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C969D0		10_2_00C969D0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C96DF8		10_2_00C96DF8
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00C96E08		10_2_00C96E08
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00395284		10_2_00395284
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_00395748		10_2_00395748
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00403014		13_2_00403014
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_0040301C		13_2_0040301C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_0040382D		13_2_0040382D
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_0040383C		13_2_0040383C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_004108A7		13_2_004108A7
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_004108AF		13_2_004108AF
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_0041712F		13_2_0041712F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00410ACF		13_2_00410ACF
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_0040EB4F		13_2_0040EB4F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00401BBC		13_2_00401BBC
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_0042F45F		13_2_0042F45F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00401500		13_2_00401500
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00403E3C		13_2_00403E3C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DAE0C6		13_2_00DAE0C6
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DAE2E9		13_2_00DAE2E9
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DD63DB		13_2_00DD63DB
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E563BF		13_2_00E563BF
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DFA37B		13_2_00DFA37B
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DB2305		13_2_00DB2305
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E3443E		13_2_00E3443E
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E305E3		13_2_00E305E3
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DCC5F0		13_2_00DCC5F0
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DF6540		13_2_00DF6540
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DBE6C1		13_2_00DBE6C1
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DB4680		13_2_00DB4680
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E52622		13_2_00E52622
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DFA634		13_2_00DFA634
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DBC7BC		13_2_00DBC7BC
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DBC85C		13_2_00DBC85C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DD286D		13_2_00DD286D
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E449F5		13_2_00E449F5
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DC69FE		13_2_00DC69FE
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DB29B2		13_2_00DB29B2
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E5098E		13_2_00E5098E
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DFC920		13_2_00DFC920
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E36BCB		13_2_00E36BCB
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E5CBA4		13_2_00E5CBA4
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E52C9C		13_2_00E52C9C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E3AC5E		13_2_00E3AC5E
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DBCD5B		13_2_00DBCD5B
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DE0D3B		13_2_00DE0D3B
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DCEE4C		13_2_00DCEE4C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DE2E2F		13_2_00DE2E2F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E22FDC		13_2_00E22FDC
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E4CFB1		13_2_00E4CFB1
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DC0F3F		13_2_00DC0F3F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DC905A		13_2_00DC905A
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E2D06D		13_2_00E2D06D
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DB3040		13_2_00DB3040
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DDD005		13_2_00DDD005
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E3D13F		13_2_00E3D13F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E51238		13_2_00E51238
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DAF3CF		13_2_00DAF3CF
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DB7353		13_2_00DB7353
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DC1489		13_2_00DC1489
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DE5485		13_2_00DE5485
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DED47D		13_2_00DED47D
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E535DA		13_2_00E535DA
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DB351F		13_2_00DB351F
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DE57C3		13_2_00DE57C3
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E3579A		13_2_00E3579A
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E4771D		13_2_00E4771D
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E4F8EE		13_2_00E4F8EE
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E2F8C4		13_2_00E2F8C4
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E3394B		13_2_00E3394B
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E35955		13_2_00E35955
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E63A83		13_2_00E63A83
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DAFBD7		13_2_00DAFBD7
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E3DBDA		13_2_00E3DBDA
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DD7B00		13_2_00DD7B00
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E4FDDD		13_2_00E4FDDD
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DDDF7C		13_2_00DDDF7C
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00E3BF14		13_2_00E3BF14

Source: ~WRF{29E2E29E-E8D7-4444-B4C1-491BD16FE991}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: String function: 00DF373B appears 253 times
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: String function: 00DF3F92 appears 132 times
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: String function: 00DAE2A8 appears 60 times
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: String function: 00DADF5C appears 137 times
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: String function: 00E1F970 appears 84 times

Source: 13.2.milliano89012.scr.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.milliano89012.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.440945111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.440917451.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\milli[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD83929C.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: milli[1].scr.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: milliano89012.scr.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: _0020.SetAccessControl
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: _0020.AddAccessRule
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, FAiMyUWZWKk3jewBmb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: _0020.SetAccessControl
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: _0020.AddAccessRule
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, FAiMyUWZWKk3jewBmb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, FAiMyUWZWKk3jewBmb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: _0020.SetAccessControl
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, oVA8TpU01O04b4B6q1.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@8/22@14/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$voice.docx.doc

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8507.tmp

Jump to behavior

Source: invoice.docx.doc

OLE indicator, Word Document stream: true

Source: ~WRF{29E2E29E-E8D7-4444-B4C1-491BD16FE991}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{29E2E29E-E8D7-4444-B4C1-491BD16FE991}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{29E2E29E-E8D7-4444-B4C1-491BD16FE991}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........<.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........<.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........<.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........<.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........<.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........<.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......,.......X.......$........=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.$......./=.........................s............x....... .......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$.......;=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$.......M=.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$.......Y=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....k=.........................s............x.......$.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$.......w=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........=.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......$........=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............x.......2.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......H........=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......H........=.........................s....................l.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......H........=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....,.......X.......H........=.........................s............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....,.......X.......H........=.........................s............x...............................			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: invoice.docx.doc	Virustotal: Detection: 29%
Source: invoice.docx.doc	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr "C:\Users\user\AppData\Roaming\milliano89012.scr"
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\milliano89012.scr"
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr "C:\Users\user\AppData\Roaming\milliano89012.scr"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr "C:\Users\user\AppData\Roaming\milliano89012.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\milliano89012.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr "C:\Users\user\AppData\Roaming\milliano89012.scr"			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Section loaded: wow64cpu.dll			Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: invoice.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\invoice.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: invoice.docx.doc

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: GYuS.pdbSHA256 source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr
Source:	Binary string: wntdll.pdb source: milliano89012.scr, milliano89012.scr, 0000000D.00000002.441036459.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: GYuS.pdb source: EQNEDT32.EXE, 00000009.00000003.398076749.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, milliano89012.scr.9.dr, milli[1].scr.9.dr

Source: invoice.docx.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Source: 10.2.milliano89012.scr.870000.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 10.2.milliano89012.scr.870000.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 10.2.milliano89012.scr.2699e74.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 10.2.milliano89012.scr.2699e74.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, oVA8TpU01O04b4B6q1.cs	.Net Code: QIps3eajis System.Reflection.Assembly.Load(byte[])
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, oVA8TpU01O04b4B6q1.cs	.Net Code: QIps3eajis System.Reflection.Assembly.Load(byte[])
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, oVA8TpU01O04b4B6q1.cs	.Net Code: QIps3eajis System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 13_2_00448B4B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

13_2_00448B4B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00547258 push edx; ret		9_2_0054726B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00547249 push edx; ret		9_2_0054724B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00547272 push edx; ret		9_2_0054727B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0054746B push esp; ret		9_2_0054746F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00546637 push ebx; ret		9_2_0054663B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0054662D push ebx; ret		9_2_00546633
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543CD4 push edx; ret		9_2_00543CDB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00546EDC push ebx; ret		9_2_00546F9F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543CE2 push edx; ret		9_2_00543CEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543CEF push edx; ret		9_2_00543CFB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543C8F push edx; ret		9_2_00543C9B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00547288 push edx; ret		9_2_0054728B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0054688B push esp; iretd		9_2_0054688D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543D52 push edx; ret		9_2_00543D5B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543F4C push ebx; ret		9_2_00543F77
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00547172 push edx; ret		9_2_0054717B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0054717F push edx; ret		9_2_0054718B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543F7B push esp; ret		9_2_00543F7F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00538F60 push eax; retf		9_2_00538F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543D68 push edx; ret		9_2_00543D7B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543D1F push edx; ret		9_2_00543D3B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543D0F push edx; ret		9_2_00543D1B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543D3F push edx; ret		9_2_00543D4B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_005471D2 push edx; ret		9_2_005471DB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_005471DF push edx; ret		9_2_005471EB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_005301F4 push eax; retf		9_2_005301F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_005471FF push edx; ret		9_2_0054720B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543D98 push edx; ret		9_2_00543D9B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00543D82 push edx; ret		9_2_00543D8B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00546FA5 push ebx; ret		9_2_00546FA7
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 10_2_0039AFE8 push eax; retn 0065h		10_2_0039AFE9

Source: milli[1].scr.9.dr	Static PE information: section name: .text entropy: 7.934921786307537
Source: milliano89012.scr.9.dr	Static PE information: section name: .text entropy: 7.934921786307537

Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, vlH8n3ZIHh4u0WWwDQ.cs	High entropy of concatenated method names: 'bktSMhSNTs1ZVUqNn8I', 'EQNaZ4Sv3JxCpKj3R0g', 'S3B4VFsCa2', 'yTQ4ereGl0', 'SXh4Wuv05k', 'oyTEYHSRpu0bH3afmS6', 'lhTZsmSXUCw9CdDfg5h'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, jlZI3DwGj9C6sbdn42.cs	High entropy of concatenated method names: 'jacmRNsSyW', 'kPImuTqy43', 'yscmQ2Pf1a', 'aZTmLke9Vs', 'vQsm5f4Mm8', 'zVPmjpCDat', 'zBxmnFd3ym', 'wfZmpkVHNf', 'L3JmHAkxh6', 'cf6mS4wVdZ'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, aShjD9ryPytU0q8ODkk.cs	High entropy of concatenated method names: 'u7ieDKObR0', 'cg2ei8hmGm', 'hVhe3usy6t', 'wXFegrGLG9', 'qj5elM1vNH', 'cAweKVLUOP', 'h5FebYAQxC', 'W5EeR7FRpG', 'xkbeuysclp', 'DpietARRRc'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, JBAH1mPVqukOD1yppU.cs	High entropy of concatenated method names: 'jC4cHP4Yvi', 'ATHcxRbtFM', 'jE5cIe4EKN', 'c8wckkvIa5', 'jJicL2G4JH', 'eJucPbyQln', 'xIJc5Bm3fh', 'rTUcjBnkjB', 'qTccdf9mIp', 'xOwcnCpSYp'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, nbYcRRhUYUuPfgG6h7.cs	High entropy of concatenated method names: 'twjBDPOS9v', 'cqiBiheXye', 'uLxB3gaMMW', 'J56BgCWEwD', 'EV1BlQs4O0', 'tbWBKaIm5H', 'PO1Bb2fXyg', 'QXJBRc91Iq', 'z6EBusGRZb', 'LeZBtLSaIb'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, xeXN89x8fl0WRlGDUJ.cs	High entropy of concatenated method names: 'Dispose', 'K95qF5VyI5', 'dyGfLX4JVC', 'oqFGG3422g', 'nVqqajxjBv', 'uBsqzhMBg9', 'ProcessDialogKey', 'EoffyxgMSZ', 'uTifqU8oYr', 'lkPffA3OSH'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, xPZq7kBy4SWCoeHG79.cs	High entropy of concatenated method names: 'kPpqBNd06Z', 'o9Hq9oT42p', 'SmcqXvcceb', 'YjKqAcM8UK', 'zRSqcc8orX', 'd2EqhyHrlo', 's7KqLQEKua7DVC0U7h', 'rrIixnqiGfyD3GVgE8', 'U6Gqq3miLB', 'FAfqMfW51X'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, zWascSnS2pmWg2Xuti.cs	High entropy of concatenated method names: 'SLO2TskcC4', 'n6h2aTb7yQ', 'PQsVy12JNl', 'K1HVqQDDfA', 'vG12Sd2bQO', 'Qi22xhpcEs', 'k2H2raXg5M', 'ter2IPa6Y0', 'HO52kUIMG9', 'SOc2EBdO2D'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, USk5IvrNeXJirBObigd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'U2aWIdu9CL', 'z8XWkW5va3', 'VtWWEnwhHt', 'CVHW0Xt3sI', 'uJXWoRTS2U', 'yJbWCK1Xl0', 'vqBW856cNH'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, EBvIoUptZreqWvBR5S.cs	High entropy of concatenated method names: 'EalVQ9xABt', 'UUHVLDFkHd', 'UETVPqmU3d', 'iRWV5Ce2A4', 'GGGVIF8qT7', 'NnpVjavBPO', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, LxvCe8Y4j9Qca6QY52.cs	High entropy of concatenated method names: 'FSg4UYsv22', 'dBA4wlnKev', 'NVa4JpfnvZ', 'FdX4BaX7u3', 'Vgo49wqYQk', 'v51Jodhyul', 'dUyJCaWUhS', 'Bh9J8H1aEc', 'pXWJT2kT1c', 'CxwJFK8OoO'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, JCfVVIeJ080Tb8Q1BL.cs	High entropy of concatenated method names: 'uX33kh0ee', 'sCxgmZ5ji', 'PLFKHyX2k', 'JBcbVkmiU', 'vOJuHAJYE', 'eejtHEWAY', 'sfoH3eVN2gQOBBka9M', 'LQPEdDMvfNmbg8jNwa', 'yY2VnnbDZ', 'IUkWF4su9'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, oVA8TpU01O04b4B6q1.cs	High entropy of concatenated method names: 'yEkMUy05wr', 'N8CMYR9CLi', 'vNrMwB3aC2', 'me8MZt8aJr', 'jQEMJfmoW0', 'MMJM4m3c3v', 'PpbMBCUqmt', 'PQQM9YK1Av', 'dDqM7TD0rM', 'zM9MXZaxk5'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, FAiMyUWZWKk3jewBmb.cs	High entropy of concatenated method names: 'nRPwIm2K1K', 'qIYwkP6tJi', 'PoOwErBD8W', 'J9jw0Ucoea', 'RHTwolucaP', 'gHdwCaMuTK', 'Wkww8w7qv8', 'grEwTxQsMi', 'RTqwFUOq4H', 'bfOwaagILx'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, dUdtWXEIPvUklYPvZf.cs	High entropy of concatenated method names: 'ApOeqhAV1r', 'GJFeMHFh27', 'Qqceso1JZd', 'KmXeYx2lm6', 'EBgew1cxcO', 'kdTeJjcR7C', 'JG8e4b0KPe', 'mDwV8xskME', 'TWGVTqnV6y', 'UcTVFLCCFu'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, uuSusx2wFdreln4s7W.cs	High entropy of concatenated method names: 'f1YZgU29lE', 'RFmZKL8FEA', 'q6YZRDbSeh', 'WkbZu3GC0e', 'Vs4ZcuIJce', 'zjLZhHQImZ', 'zBTZ29CUqC', 'Wf2ZVmu7st', 'zbXZeUhhyl', 'fB4ZWKo8p2'
Source: 10.2.milliano89012.scr.3ab6ea8.5.raw.unpack, ImmNiP57Fx7oA24QEN.cs	High entropy of concatenated method names: 'GrFVYs8pIT', 'YreVw4XX0D', 'ocPVZngiGQ', 'VJyVJZH5uI', 'qNqV4iD29s', 'wjiVBOp5CL', 'fafV9gK8Bq', 'U87V7i12dW', 'oi2VXdt5RE', 'YqtVAqqQwL'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, vlH8n3ZIHh4u0WWwDQ.cs	High entropy of concatenated method names: 'bktSMhSNTs1ZVUqNn8I', 'EQNaZ4Sv3JxCpKj3R0g', 'S3B4VFsCa2', 'yTQ4ereGl0', 'SXh4Wuv05k', 'oyTEYHSRpu0bH3afmS6', 'lhTZsmSXUCw9CdDfg5h'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, jlZI3DwGj9C6sbdn42.cs	High entropy of concatenated method names: 'jacmRNsSyW', 'kPImuTqy43', 'yscmQ2Pf1a', 'aZTmLke9Vs', 'vQsm5f4Mm8', 'zVPmjpCDat', 'zBxmnFd3ym', 'wfZmpkVHNf', 'L3JmHAkxh6', 'cf6mS4wVdZ'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, aShjD9ryPytU0q8ODkk.cs	High entropy of concatenated method names: 'u7ieDKObR0', 'cg2ei8hmGm', 'hVhe3usy6t', 'wXFegrGLG9', 'qj5elM1vNH', 'cAweKVLUOP', 'h5FebYAQxC', 'W5EeR7FRpG', 'xkbeuysclp', 'DpietARRRc'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, JBAH1mPVqukOD1yppU.cs	High entropy of concatenated method names: 'jC4cHP4Yvi', 'ATHcxRbtFM', 'jE5cIe4EKN', 'c8wckkvIa5', 'jJicL2G4JH', 'eJucPbyQln', 'xIJc5Bm3fh', 'rTUcjBnkjB', 'qTccdf9mIp', 'xOwcnCpSYp'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, nbYcRRhUYUuPfgG6h7.cs	High entropy of concatenated method names: 'twjBDPOS9v', 'cqiBiheXye', 'uLxB3gaMMW', 'J56BgCWEwD', 'EV1BlQs4O0', 'tbWBKaIm5H', 'PO1Bb2fXyg', 'QXJBRc91Iq', 'z6EBusGRZb', 'LeZBtLSaIb'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, xeXN89x8fl0WRlGDUJ.cs	High entropy of concatenated method names: 'Dispose', 'K95qF5VyI5', 'dyGfLX4JVC', 'oqFGG3422g', 'nVqqajxjBv', 'uBsqzhMBg9', 'ProcessDialogKey', 'EoffyxgMSZ', 'uTifqU8oYr', 'lkPffA3OSH'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, xPZq7kBy4SWCoeHG79.cs	High entropy of concatenated method names: 'kPpqBNd06Z', 'o9Hq9oT42p', 'SmcqXvcceb', 'YjKqAcM8UK', 'zRSqcc8orX', 'd2EqhyHrlo', 's7KqLQEKua7DVC0U7h', 'rrIixnqiGfyD3GVgE8', 'U6Gqq3miLB', 'FAfqMfW51X'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, zWascSnS2pmWg2Xuti.cs	High entropy of concatenated method names: 'SLO2TskcC4', 'n6h2aTb7yQ', 'PQsVy12JNl', 'K1HVqQDDfA', 'vG12Sd2bQO', 'Qi22xhpcEs', 'k2H2raXg5M', 'ter2IPa6Y0', 'HO52kUIMG9', 'SOc2EBdO2D'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, USk5IvrNeXJirBObigd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'U2aWIdu9CL', 'z8XWkW5va3', 'VtWWEnwhHt', 'CVHW0Xt3sI', 'uJXWoRTS2U', 'yJbWCK1Xl0', 'vqBW856cNH'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, EBvIoUptZreqWvBR5S.cs	High entropy of concatenated method names: 'EalVQ9xABt', 'UUHVLDFkHd', 'UETVPqmU3d', 'iRWV5Ce2A4', 'GGGVIF8qT7', 'NnpVjavBPO', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, LxvCe8Y4j9Qca6QY52.cs	High entropy of concatenated method names: 'FSg4UYsv22', 'dBA4wlnKev', 'NVa4JpfnvZ', 'FdX4BaX7u3', 'Vgo49wqYQk', 'v51Jodhyul', 'dUyJCaWUhS', 'Bh9J8H1aEc', 'pXWJT2kT1c', 'CxwJFK8OoO'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, JCfVVIeJ080Tb8Q1BL.cs	High entropy of concatenated method names: 'uX33kh0ee', 'sCxgmZ5ji', 'PLFKHyX2k', 'JBcbVkmiU', 'vOJuHAJYE', 'eejtHEWAY', 'sfoH3eVN2gQOBBka9M', 'LQPEdDMvfNmbg8jNwa', 'yY2VnnbDZ', 'IUkWF4su9'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, oVA8TpU01O04b4B6q1.cs	High entropy of concatenated method names: 'yEkMUy05wr', 'N8CMYR9CLi', 'vNrMwB3aC2', 'me8MZt8aJr', 'jQEMJfmoW0', 'MMJM4m3c3v', 'PpbMBCUqmt', 'PQQM9YK1Av', 'dDqM7TD0rM', 'zM9MXZaxk5'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, FAiMyUWZWKk3jewBmb.cs	High entropy of concatenated method names: 'nRPwIm2K1K', 'qIYwkP6tJi', 'PoOwErBD8W', 'J9jw0Ucoea', 'RHTwolucaP', 'gHdwCaMuTK', 'Wkww8w7qv8', 'grEwTxQsMi', 'RTqwFUOq4H', 'bfOwaagILx'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, dUdtWXEIPvUklYPvZf.cs	High entropy of concatenated method names: 'ApOeqhAV1r', 'GJFeMHFh27', 'Qqceso1JZd', 'KmXeYx2lm6', 'EBgew1cxcO', 'kdTeJjcR7C', 'JG8e4b0KPe', 'mDwV8xskME', 'TWGVTqnV6y', 'UcTVFLCCFu'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, uuSusx2wFdreln4s7W.cs	High entropy of concatenated method names: 'f1YZgU29lE', 'RFmZKL8FEA', 'q6YZRDbSeh', 'WkbZu3GC0e', 'Vs4ZcuIJce', 'zjLZhHQImZ', 'zBTZ29CUqC', 'Wf2ZVmu7st', 'zbXZeUhhyl', 'fB4ZWKo8p2'
Source: 10.2.milliano89012.scr.3a1f288.6.raw.unpack, ImmNiP57Fx7oA24QEN.cs	High entropy of concatenated method names: 'GrFVYs8pIT', 'YreVw4XX0D', 'ocPVZngiGQ', 'VJyVJZH5uI', 'qNqV4iD29s', 'wjiVBOp5CL', 'fafV9gK8Bq', 'U87V7i12dW', 'oi2VXdt5RE', 'YqtVAqqQwL'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, vlH8n3ZIHh4u0WWwDQ.cs	High entropy of concatenated method names: 'bktSMhSNTs1ZVUqNn8I', 'EQNaZ4Sv3JxCpKj3R0g', 'S3B4VFsCa2', 'yTQ4ereGl0', 'SXh4Wuv05k', 'oyTEYHSRpu0bH3afmS6', 'lhTZsmSXUCw9CdDfg5h'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, jlZI3DwGj9C6sbdn42.cs	High entropy of concatenated method names: 'jacmRNsSyW', 'kPImuTqy43', 'yscmQ2Pf1a', 'aZTmLke9Vs', 'vQsm5f4Mm8', 'zVPmjpCDat', 'zBxmnFd3ym', 'wfZmpkVHNf', 'L3JmHAkxh6', 'cf6mS4wVdZ'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, aShjD9ryPytU0q8ODkk.cs	High entropy of concatenated method names: 'u7ieDKObR0', 'cg2ei8hmGm', 'hVhe3usy6t', 'wXFegrGLG9', 'qj5elM1vNH', 'cAweKVLUOP', 'h5FebYAQxC', 'W5EeR7FRpG', 'xkbeuysclp', 'DpietARRRc'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, JBAH1mPVqukOD1yppU.cs	High entropy of concatenated method names: 'jC4cHP4Yvi', 'ATHcxRbtFM', 'jE5cIe4EKN', 'c8wckkvIa5', 'jJicL2G4JH', 'eJucPbyQln', 'xIJc5Bm3fh', 'rTUcjBnkjB', 'qTccdf9mIp', 'xOwcnCpSYp'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, nbYcRRhUYUuPfgG6h7.cs	High entropy of concatenated method names: 'twjBDPOS9v', 'cqiBiheXye', 'uLxB3gaMMW', 'J56BgCWEwD', 'EV1BlQs4O0', 'tbWBKaIm5H', 'PO1Bb2fXyg', 'QXJBRc91Iq', 'z6EBusGRZb', 'LeZBtLSaIb'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, xeXN89x8fl0WRlGDUJ.cs	High entropy of concatenated method names: 'Dispose', 'K95qF5VyI5', 'dyGfLX4JVC', 'oqFGG3422g', 'nVqqajxjBv', 'uBsqzhMBg9', 'ProcessDialogKey', 'EoffyxgMSZ', 'uTifqU8oYr', 'lkPffA3OSH'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, xPZq7kBy4SWCoeHG79.cs	High entropy of concatenated method names: 'kPpqBNd06Z', 'o9Hq9oT42p', 'SmcqXvcceb', 'YjKqAcM8UK', 'zRSqcc8orX', 'd2EqhyHrlo', 's7KqLQEKua7DVC0U7h', 'rrIixnqiGfyD3GVgE8', 'U6Gqq3miLB', 'FAfqMfW51X'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, zWascSnS2pmWg2Xuti.cs	High entropy of concatenated method names: 'SLO2TskcC4', 'n6h2aTb7yQ', 'PQsVy12JNl', 'K1HVqQDDfA', 'vG12Sd2bQO', 'Qi22xhpcEs', 'k2H2raXg5M', 'ter2IPa6Y0', 'HO52kUIMG9', 'SOc2EBdO2D'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, USk5IvrNeXJirBObigd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'U2aWIdu9CL', 'z8XWkW5va3', 'VtWWEnwhHt', 'CVHW0Xt3sI', 'uJXWoRTS2U', 'yJbWCK1Xl0', 'vqBW856cNH'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, EBvIoUptZreqWvBR5S.cs	High entropy of concatenated method names: 'EalVQ9xABt', 'UUHVLDFkHd', 'UETVPqmU3d', 'iRWV5Ce2A4', 'GGGVIF8qT7', 'NnpVjavBPO', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, LxvCe8Y4j9Qca6QY52.cs	High entropy of concatenated method names: 'FSg4UYsv22', 'dBA4wlnKev', 'NVa4JpfnvZ', 'FdX4BaX7u3', 'Vgo49wqYQk', 'v51Jodhyul', 'dUyJCaWUhS', 'Bh9J8H1aEc', 'pXWJT2kT1c', 'CxwJFK8OoO'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, JCfVVIeJ080Tb8Q1BL.cs	High entropy of concatenated method names: 'uX33kh0ee', 'sCxgmZ5ji', 'PLFKHyX2k', 'JBcbVkmiU', 'vOJuHAJYE', 'eejtHEWAY', 'sfoH3eVN2gQOBBka9M', 'LQPEdDMvfNmbg8jNwa', 'yY2VnnbDZ', 'IUkWF4su9'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, oVA8TpU01O04b4B6q1.cs	High entropy of concatenated method names: 'yEkMUy05wr', 'N8CMYR9CLi', 'vNrMwB3aC2', 'me8MZt8aJr', 'jQEMJfmoW0', 'MMJM4m3c3v', 'PpbMBCUqmt', 'PQQM9YK1Av', 'dDqM7TD0rM', 'zM9MXZaxk5'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, FAiMyUWZWKk3jewBmb.cs	High entropy of concatenated method names: 'nRPwIm2K1K', 'qIYwkP6tJi', 'PoOwErBD8W', 'J9jw0Ucoea', 'RHTwolucaP', 'gHdwCaMuTK', 'Wkww8w7qv8', 'grEwTxQsMi', 'RTqwFUOq4H', 'bfOwaagILx'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, dUdtWXEIPvUklYPvZf.cs	High entropy of concatenated method names: 'ApOeqhAV1r', 'GJFeMHFh27', 'Qqceso1JZd', 'KmXeYx2lm6', 'EBgew1cxcO', 'kdTeJjcR7C', 'JG8e4b0KPe', 'mDwV8xskME', 'TWGVTqnV6y', 'UcTVFLCCFu'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, uuSusx2wFdreln4s7W.cs	High entropy of concatenated method names: 'f1YZgU29lE', 'RFmZKL8FEA', 'q6YZRDbSeh', 'WkbZu3GC0e', 'Vs4ZcuIJce', 'zjLZhHQImZ', 'zBTZ29CUqC', 'Wf2ZVmu7st', 'zbXZeUhhyl', 'fB4ZWKo8p2'
Source: 10.2.milliano89012.scr.4a80000.8.raw.unpack, ImmNiP57Fx7oA24QEN.cs	High entropy of concatenated method names: 'GrFVYs8pIT', 'YreVw4XX0D', 'ocPVZngiGQ', 'VJyVJZH5uI', 'qNqV4iD29s', 'wjiVBOp5CL', 'fafV9gK8Bq', 'U87V7i12dW', 'oi2VXdt5RE', 'YqtVAqqQwL'

Persistence and Installation Behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\darpexllc.top@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\darpexllc.top@SSL\DavWWWRoot			Jump to behavior

Source: settings.xml.rels

Extracted files from sample: https://darpexllc.top/milli.doc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\milli[1].scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\milliano89012.scr			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: milli[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: BD83929C.doc.0.dr			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\milli[1].scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\milliano89012.scr			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 390000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 2670000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: AE0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 66B0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 5320000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 76B0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Memory allocated: 55C0000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 13_2_00DF0101 rdtsc

13_2_00DF0101

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2986			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1628			Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

API coverage: 5.4 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3244	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr TID: 3308	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3516	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3524	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3472	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr TID: 3368	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 13_2_00DF0101 rdtsc

13_2_00DF0101

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 13_2_00DA07AC NtCreateMutant,LdrInitializeThunk,

13_2_00DA07AC

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 13_2_00446B54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_00446B54

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 13_2_00448B4B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

13_2_00448B4B

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D900EA mov eax, dword ptr fs:[00000030h]		13_2_00D900EA
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00D90080 mov ecx, dword ptr fs:[00000030h]		13_2_00D90080
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00DB26F8 mov eax, dword ptr fs:[00000030h]		13_2_00DB26F8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_00446B54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_00446B54
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Code function: 13_2_004485FB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_004485FB

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\milliano89012.scr"
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\milliano89012.scr"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Memory written: C:\Users\user\AppData\Roaming\milliano89012.scr base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr "C:\Users\user\AppData\Roaming\milliano89012.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\milliano89012.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Process created: C:\Users\user\AppData\Roaming\milliano89012.scr "C:\Users\user\AppData\Roaming\milliano89012.scr"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Roaming\milliano89012.scr	Queries volume information: C:\Users\user\AppData\Roaming\milliano89012.scr VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\milliano89012.scr

Code function: 13_2_0044812F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

13_2_0044812F

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.440945111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.440917451.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.milliano89012.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.440945111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.440917451.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY